From 15f84333af6c42ef2e4bcc7cede8d03c8b4a3849 Mon Sep 17 00:00:00 2001
From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com>
Date: Fri, 30 Jun 2023 10:39:14 -0400
Subject: [PATCH 01/12] Re-enabled the war task
---
HIRS_AttestationCAPortal/build.gradle | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 0221c25e..49746e8c 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -60,13 +60,13 @@ dependencies {
testImplementation libs.testng
}
-//war {
-// from(buildDir) {
-// include 'VERSION'
-// into 'WEB-INF/classes'
-// }
-// archiveFileName = 'HIRS_AttestationCAPortal.war'
-//}
+war {
+ from(buildDir) {
+ include 'VERSION'
+ into 'WEB-INF/classes'
+ }
+ archiveFileName = 'HIRS_AttestationCAPortal.war'
+}
ospackage {
packageName = 'HIRS_AttestationCA'
From 146d05961de6a3c11061cc6d21db6ef5a5783c7c Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Fri, 7 Jul 2023 19:23:02 +0000
Subject: [PATCH 02/12] updated application.settings to use tls
---
.../src/main/resources/application.properties | 31 +++++--
package/scripts/aca/aca_bootRun.sh | 30 +++++++
package/scripts/pki/ca.conf | 4 +-
package/scripts/pki/pki_chain_gen.sh | 2 +-
package/scripts/pki/pki_setup.sh | 33 +++++---
package/scripts/pki/pki_update_tls_cert.sh | 81 +++++++++++++++++++
6 files changed, 159 insertions(+), 22 deletions(-)
create mode 100644 package/scripts/aca/aca_bootRun.sh
create mode 100644 package/scripts/pki/pki_update_tls_cert.sh
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index c1ffcf6a..685784b3 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -3,18 +3,26 @@
#spring.mvc.view.prefix=/WEB-INF/jsp/
#spring.mvc.view.suffix=.jsp
+# Logging Config (tomcat may have further config)
logging.level.org.springframework=INFO
logging.level.org.apache.catalina=DEBUG
+
+# Database Config
spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
spring.datasource.username=hirs_db
-spring.datasource.password=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
-
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
+# Tomcat Config
+server.tomcat.additional-tld-skip-patterns=*.jar
+server.tomcat.basedir=/opt/embeddedtomcat
+server.servlet.register-default-servlet=true
+server.servlet.context-path=/HIRS_AttestationCAPortal
+spring.mvc.servlet.path=/portal
+
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.directory=logs
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
@@ -22,10 +30,15 @@ server.tomcat.accesslog.prefix=access_log
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
-server.tomcat.basedir=/opt/embeddedtomcat
-server.servlet.register-default-servlet=true
-server.servlet.context-path=/HIRS_AttestationCAPortal
-spring.mvc.servlet.path=/portal
+# Tomcat TLS support
+server.port=8443
+server.ssl.enabled=true
+server.ssl.trust-store-type=JKS
+server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
+server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
+server.ssl.key-store-type=JKS
+server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
+server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
@@ -34,3 +47,9 @@ spring.mvc.servlet.path=/portal
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
+
+# Passwords get appended here ...
+spring.datasource.password=hirs_db
+server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
+server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18
+
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
new file mode 100644
index 00000000..83a588f8
--- /dev/null
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to run ACA using the gradle spring pluing bootRun command with password set
+#
+#
+####################################################################################
+
+PASS_FILE="/etc/hirs/aca/application.properties"
+
+declare -A props
+
+if [ -f $PASS_FILE ]; then
+ while IFS="=" read -r key value; do
+ echo "key is $key, value is $value"
+ if [ ! -z "$key" ]; then
+ props["$key"]="$value"
+ fi
+ done < "$PASS_FILE"
+else
+ echo "error reading $PASS_FILE"
+ exit 1
+fi
+
+echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
+echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
+
+#./gradlew bootRun --args=--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]},--server.ssl.key-store-password=${props["server.ssl.key-store-password"]}
+
+./gradlew bootRun --args="--server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18 --server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18"
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index 767cfcf3..74d1b748 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -35,7 +35,7 @@ crlDistributionPoints = URI:https://example.com/crl
[ server_extensions ]
keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
+basicConstraints = critical
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
@@ -46,7 +46,7 @@ crlDistributionPoints = URI:https://example.com/crl
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical,CA:false
+basicConstraints = critical
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
crlDistributionPoints = URI:https://example.com/crl
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index bf2dd514..fffa44fc 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index 6a69f104..2dd83d9f 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -6,28 +6,35 @@
#
############################################################################################
+PROP_FILE=/etc/hirs/aca/apllication.properties
+
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
- #PKI_PASS="xrb204k"
fi
# Create an ACA properties file using the new password
-pushd $SCRIPT_DIR &> /dev/null
- if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
- if [ -d /opt/hirs/scripts/aca ]; then
- ACA_SETUP_DIR="/opt/hirs/scripts/aca"
- else
- ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
- fi
- echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
- sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
- else
- echo "aca property file exists, skipping"
- fi
+#pushd $SCRIPT_DIR &> /dev/null
+# if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
+# if [ -d /opt/hirs/scripts/aca ]; then
+# ACA_SETUP_DIR="/opt/hirs/scripts/aca"
+# else
+# ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
+# fi
+# echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
+# sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
+# else
+# echo "aca property file exists, skipping"
+# fi
+
+# Add password to properties file
+echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
+echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+
+# Clear out previous pki password and set new password in the application.properties file for embedded tomcat
popd &> /dev/null
diff --git a/package/scripts/pki/pki_update_tls_cert.sh b/package/scripts/pki/pki_update_tls_cert.sh
new file mode 100644
index 00000000..cd124bff
--- /dev/null
+++ b/package/scripts/pki/pki_update_tls_cert.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+CN=$1
+PASS=$2
+ACTOR="HIRS"
+ACTOR_ALT=${ACTOR// /_}
+ASYM_ALG="rsa"
+ASYM_SIZE=3072
+KSIZE="3k"
+HASH_ALG="sha384"
+CERT_FOLDER="/etc/hirs/certificates/HIRS/$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_certs
+#CERT_FOLDER="."
+EXTENSION="server_extensions"
+TRUSTSTORE="/etc/hirs/certificates/HIRS/TrustStore.jks"
+
+echo "CERT_FOLDER is $CERT_FOLDER"
+
+
+if [ -z "${CN}" ] || [ -z "${PASS}" ] || [ "${CN}" == "-h" ] || [ "${CN}" == "--help" ]; then
+ echo "parameter missing to pki_tls_update.sh, exiting"
+ exit 1;
+fi
+
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=$CN"
+
+TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+
+echo "TLS_SERVER is $TLS_SERVER"
+create_cert () {
+ CERT_PATH="$1"
+ ISSUER="$2"
+ SUBJ_DN="$3"
+ ISSUER_KEY="$ISSUER".key
+ ISSUER_CERT="$ISSUER".pem
+ ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
+
+ pushd /etc/hirs/certificates/HIRS
+
+# if [ "$CERT_TYPE" == "rim_signer" ]; then
+# EXTENSION="signer_extensions"
+# else
+# EXTENSION="ca_extensions"
+# fi
+
+ echo "Updating cert for "$CERT_PATH".pem using $ISSUER_KEY with a DN="$SUBJ_DN" using $EXTENSION."
+
+ if [ "$ASYM_ALG" == "rsa" ]; then
+ openssl req -newkey rsa:"$ASYM_SIZE" \
+ -keyout "$CERT_PATH".key \
+ -out "$CERT_PATH".csr -subj "$SUBJ_DN" \
+ -passout pass:"$PASS"
+#&> /dev/null
+ else
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
+ openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
+ fi
+ openssl ca -config ca.conf \
+ -keyfile "$ISSUER_KEY" \
+ -md $HASH_ALG \
+ -cert "$ISSUER_CERT" \
+ -extensions "$EXTENSION" \
+ -out "$CERT_PATH".pem \
+ -in "$CERT_PATH".csr \
+ -passin pass:"$PASS" \
+ -batch \
+ -notext
+ popd
+
+#&> /dev/null
+ # Increment the cert serial number
+ awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
+ # remove csr file
+ rm -f "$CERT_PATH".csr
+ # remove all cert from TrustStore.jks
+ keytool -delete -noprompt -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
+ # insert new cert into TrustStore.jks with same alias
+ keytool -import -file ""$CERT_PATH".pem" -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
+}
+
+create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
From a8e5758cf40d1371282c3a9c13c15207a21099b6 Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Fri, 7 Jul 2023 20:54:02 +0000
Subject: [PATCH 03/12] Updated aca_bootRun script
---
.../src/main/resources/application.properties | 5 +----
package/scripts/aca/aca_bootRun.sh | 8 ++++----
package/scripts/aca/aca_setup.sh | 2 ++
package/scripts/pki/pki_setup.sh | 17 ++++++++++-------
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 685784b3..2250fc39 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -35,7 +35,7 @@ server.port=8443
server.ssl.enabled=true
server.ssl.trust-store-type=JKS
server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
-server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
+server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
server.ssl.key-store-type=JKS
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
@@ -50,6 +50,3 @@ server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
# Passwords get appended here ...
spring.datasource.password=hirs_db
-server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
-server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18
-
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
index 83a588f8..babe01be 100644
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -22,9 +22,9 @@ else
exit 1
fi
-echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
-echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
+#echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
+#echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
-#./gradlew bootRun --args=--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]},--server.ssl.key-store-password=${props["server.ssl.key-store-password"]}
+echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
-./gradlew bootRun --args="--server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18 --server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18"
+./gradlew bootRun --args="--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]} --server.ssl.key-store-password=${props["server.ssl.key-store-password"]}"
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index 240dd683..27326922 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -2,6 +2,8 @@
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+mkdir -p /etc/hirs/aca
+
pushd $SCRIPT_DIR
sh ../db/db_create.sh
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index 2dd83d9f..c14d531a 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -6,7 +6,7 @@
#
############################################################################################
-PROP_FILE=/etc/hirs/aca/apllication.properties
+PROP_FILE=/etc/hirs/aca/application.properties
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
@@ -30,12 +30,6 @@ fi
# echo "aca property file exists, skipping"
# fi
-# Add password to properties file
-echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
-echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
-
-# Clear out previous pki password and set new password in the application.properties file for embedded tomcat
-
popd &> /dev/null
# Create Cert Chains
@@ -55,6 +49,15 @@ if [ ! -d "/etc/hirs/certificates" ]; then
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
popd &> /dev/null
+
+ # Add/Replace password to properties file
+ if [ -f $PROP_FILE ]; then
+ sed -i '/server.ssl.key-store-password/d' $PROP_FILE
+ sed -i '/server.ssl.trust-store-password/d' $PROP_FILE
+ fi
+ echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
+ echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+
else
echo "/etc/hirs/certificates exists, skipping"
fi
From a569bda8dba6bb953a9ae51c1ae0f274d3485c70 Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Mon, 10 Jul 2023 15:57:10 +0000
Subject: [PATCH 04/12] Updated cert gen script path for bootRun
---
package/scripts/pki/ca.conf | 2 --
package/scripts/pki/pki_chain_gen.sh | 26 +++++++++++---------------
package/scripts/pki/pki_setup.sh | 5 +++--
3 files changed, 14 insertions(+), 19 deletions(-)
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index 74d1b748..eed05dab 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -35,7 +35,6 @@ crlDistributionPoints = URI:https://example.com/crl
[ server_extensions ]
keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = critical
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
@@ -46,7 +45,6 @@ crlDistributionPoints = URI:https://example.com/crl
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
crlDistributionPoints = URI:https://example.com/crl
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index fffa44fc..f4dae1ed 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@@ -81,7 +81,7 @@ if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
fi
# Intialize sub folders
-#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
@@ -101,17 +101,12 @@ create_cert () {
CERT_PATH="$1"
ISSUER="$2"
SUBJ_DN="$3"
+ EXTENSION="$4"
ISSUER_KEY="$ISSUER".key
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
- if [ "$CERT_TYPE" == "rim_signer" ]; then
- EXTENSION="signer_extensions"
- else
- EXTENSION="ca_extensions"
- fi
-
- echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
+ echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
@@ -122,6 +117,7 @@ create_cert () {
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
fi
+
openssl ca -config ca.conf \
-keyfile "$ISSUER_KEY" \
-md $HASH_ALG \
@@ -149,24 +145,24 @@ create_cert () {
create_cert_chain () {
# Create an intermediate CA, Sign with Root CA
- create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
+ create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"
# Create a Leaf CA (CA1), Sign with intermediate CA
- create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
+ create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"
# Create a Leaf CA (CA2), Sign with intermediate CA
- create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
+ create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"
# Create a Leaf CA (CA3), Sign with intermediate CA
- create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
+ create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"
# Create a RIM Signer
- create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
+ create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"
# Create a ACA Sever Cert for TLS use
- create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
+ create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
# Create Cert trust store by adding the Intermediate and root certs
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index c14d531a..019473df 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -10,6 +10,7 @@ PROP_FILE=/etc/hirs/aca/application.properties
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+echo "SCRIPT_DIR is $SCRIPT_DIR"
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
@@ -35,10 +36,10 @@ popd &> /dev/null
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
- if [ -d /opt/hirs/scripts/pki ]; then
+ if [ -d "/opt/hirs/scripts/pki" ]; then
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
- PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
+ PKI_SETUP_DIR="$SCRIPT_DIR"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
From 6e96c32a5e658731a6b4fe22ca2f82db97a9c9a8 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Tue, 11 Jul 2023 07:07:13 -0400
Subject: [PATCH 05/12] Please enter the message for your changes.ssociated
event values to the support rim and delete them properly and to not also
upload duplicate issues. [no ci]
---
.../ReferenceDigestValueRepository.java | 9 +--
.../manager/ReferenceManifestRepository.java | 8 +-
.../userdefined/rim/EventLogMeasurements.java | 73 -------------------
.../userdefined/rim/ReferenceDigestValue.java | 10 ++-
...eferenceManifestDetailsPageController.java | 36 +++------
.../ReferenceManifestPageController.java | 41 +++++++----
6 files changed, 50 insertions(+), 127 deletions(-)
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
index 0cdda1b0..87632ce1 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
@@ -13,12 +13,11 @@ public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceD
@Query(value = "SELECT * FROM ReferenceDigestValue", nativeQuery = true)
List<ReferenceDigestValue> listAll();
- @Query(value = "SELECT * FROM ReferenceDigestValue WHERE model = ?1", nativeQuery = true)
- List<ReferenceDigestValue> listByModel(String model);
- @Query(value = "SELECT * FROM ReferenceDigestValue WHERE manufacturer = ?1", nativeQuery = true)
- List<ReferenceDigestValue> listByManufacturer(String manufacturer);
+ List<ReferenceDigestValue> findByModel(String model);
+ List<ReferenceDigestValue> findByManufacturer(String manufacturer);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE baseRimId = '?1' OR supportRimId = '?1'", nativeQuery = true)
List<ReferenceDigestValue> getValuesByRimId(UUID associatedRimId);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE supportRimId = '?1'", nativeQuery = true)
- List<ReferenceDigestValue> getValuesBySupportRimId(UUID supportRimId);
+ List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId);
+ List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash);
}
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
index 136d9b83..80782394 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
@@ -14,14 +14,12 @@ import java.util.UUID;
@Repository
public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> {
- @Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1", nativeQuery = true)
- ReferenceManifest findByHash(String rimHash);
- @Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1 AND rimType = ?2", nativeQuery = true)
- ReferenceManifest findByHash(String rimHash, String rimType);
+ ReferenceManifest findByHexDecHash(String hexDecHash);
+ ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
- List<ReferenceManifest> getByManufacturer(String manufacturer, String dType);
+ ReferenceManifest getByManufacturer(String manufacturer, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2", nativeQuery = true)
ReferenceManifest getByModel(String model, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'", nativeQuery = true)
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
index b3987b29..4d400121 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
@@ -3,8 +3,6 @@ package hirs.attestationca.persist.entity.userdefined.rim;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
-import hirs.attestationca.persist.service.ReferenceManifestServiceImpl;
-import hirs.attestationca.persist.service.selector.ReferenceManifestSelector;
import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent;
import jakarta.persistence.Column;
@@ -41,66 +39,6 @@ public class EventLogMeasurements extends ReferenceManifest {
@Getter @Setter
private AppraisalStatus.Status overallValidationResult = AppraisalStatus.Status.FAIL;
- /**
- * This class enables the retrieval of SupportReferenceManifest by their attributes.
- */
- public static class Selector extends ReferenceManifestSelector<EventLogMeasurements> {
- /**
- * Construct a new ReferenceManifestSelector that
- * will use the given (@link ReferenceManifestService}
- * to retrieve one or may SupportReferenceManifest.
- *
- * @param referenceManifestManager the reference manifest manager to be used to retrieve
- * reference manifests.
- */
- public Selector(final ReferenceManifestServiceImpl referenceManifestManager) {
- super(referenceManifestManager, EventLogMeasurements.class, false);
- }
-
- /**
- * Specify the platform manufacturer that rims must have to be considered
- * as matching.
- * @param manufacturer string for the manufacturer
- * @return this instance
- */
- public Selector byManufacturer(final String manufacturer) {
- setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
- return this;
- }
-
- /**
- * Specify the platform model that rims must have to be considered
- * as matching.
- * @param model string for the model
- * @return this instance
- */
- public Selector byModel(final String model) {
- setFieldValue(PLATFORM_MODEL, model);
- return this;
- }
-
- /**
- * Specify the device name that rims must have to be considered
- * as matching.
- * @param deviceName string for the deviceName
- * @return this instance
- */
- public Selector byDeviceName(final String deviceName) {
- setFieldValue("deviceName", deviceName);
- return this;
- }
-
- /**
- * Specify the RIM hash associated with the Event Log.
- * @param hexDecHash the hash of the file associated with the rim
- * @return this instance
- */
- public Selector byHexDecHash(final String hexDecHash) {
- setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
- return this;
- }
- }
-
/**
* Support constructor for the RIM object.
*
@@ -135,17 +73,6 @@ public class EventLogMeasurements extends ReferenceManifest {
this.pcrHash = 0;
}
- /**
- * Get a Selector for use in retrieving ReferenceManifest.
- *
- * @param rimMan the ReferenceManifestService to be used to retrieve
- * persisted RIMs
- * @return a Selector instance to use for retrieving RIMs
- */
- public static Selector select(final ReferenceManifestServiceImpl rimMan) {
- return new Selector(rimMan);
- }
-
/**
* Getter method for the expected PCR values contained within the support
* RIM.
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
index 3d1129d7..be8106ef 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
@@ -1,6 +1,6 @@
package hirs.attestationca.persist.entity.userdefined.rim;
-import hirs.attestationca.persist.entity.ArchivableEntity;
+import hirs.attestationca.persist.entity.AbstractEntity;
import jakarta.persistence.Access;
import jakarta.persistence.AccessType;
import jakarta.persistence.Column;
@@ -26,7 +26,7 @@ import java.util.UUID;
@EqualsAndHashCode(callSuper=false)
@Table(name = "ReferenceDigestValue")
@Access(AccessType.FIELD)
-public class ReferenceDigestValue extends ArchivableEntity {
+public class ReferenceDigestValue extends AbstractEntity {
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
@@ -43,6 +43,8 @@ public class ReferenceDigestValue extends ArchivableEntity {
@Column(nullable = false)
private String digestValue;
@Column(nullable = false)
+ private String supportRimHash;
+ @Column(nullable = false)
private String eventType;
@Column(columnDefinition = "blob", nullable = true)
private byte[] contentBlob;
@@ -64,6 +66,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = "";
this.pcrIndex = -1;
this.digestValue = "";
+ this.supportRimHash = "";
this.eventType = "";
this.matchFail = false;
this.patched = false;
@@ -79,6 +82,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
* @param model the specific device type
* @param pcrIndex the event number
* @param digestValue the key digest value
+ * @param supportRimHash the support file's hash value
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to patch
@@ -88,6 +92,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
public ReferenceDigestValue(final UUID baseRimId, final UUID supportRimId,
final String manufacturer, final String model,
final int pcrIndex, final String digestValue,
+ final String supportRimHash,
final String eventType, final boolean matchFail,
final boolean patched, final boolean updated,
final byte[] contentBlob) {
@@ -97,6 +102,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = model;
this.pcrIndex = pcrIndex;
this.digestValue = digestValue;
+ this.supportRimHash = supportRimHash;
this.eventType = eventType;
this.matchFail = matchFail;
this.patched = patched;
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
index 901c53c0..37bf6ac3 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@@ -29,7 +29,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import java.io.IOException;
-import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
@@ -234,8 +233,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("pcUriLocal", baseRim.getPcURILocal());
data.put("rimLinkHash", baseRim.getRimLinkHash());
if (baseRim.getRimLinkHash() != null) {
- ReferenceManifest rim = referenceManifestRepository.findByHash(baseRim.getRimLinkHash(),
- "BaseReferenceManifest");
+ ReferenceManifest rim = referenceManifestRepository.findByHexDecHashAndRimType(
+ baseRim.getRimLinkHash(), ReferenceManifest.BASE_RIM);
if (rim != null) {
data.put("rimLinkId", rim.getId());
data.put("linkHashValid", true);
@@ -247,27 +246,12 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
List<SwidResource> resources = baseRim.getFileResources();
TCGEventLog logProcessor = null;
- List<ReferenceManifest> subManifests;
SupportReferenceManifest support = null;
if (baseRim.getAssociatedRim() == null) {
- /**
- * Need to have parsing implemented
- */
-// referenceManifestRepository.findByHash("hexDecHash", "Support");
- subManifests = referenceManifestRepository
+ support = (SupportReferenceManifest) referenceManifestRepository
.getByManufacturer(baseRim.getPlatformManufacturer(),
"SupportReferenceManifest");
- String fileString = new String(baseRim.getRimBytes(), StandardCharsets.UTF_8);
-
- for (ReferenceManifest rim : subManifests) {
- if (rim instanceof SupportReferenceManifest) {
- support = (SupportReferenceManifest) rim;
- if (fileString.contains(rim.getHexDecHash())) {
- break;
- }
- }
- }
if (support != null) {
baseRim.setAssociatedRim(support.getId());
}
@@ -314,8 +298,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.replace("signatureValid", true);
break;
}
- } catch (SupplyChainValidatorException scvEx) {
- log.warn("Error verifying cert chain: " + scvEx.getMessage());
+ } catch (SupplyChainValidatorException e) {
+ log.error("Error verifying cert chain: " + e.getMessage());
}
}
}
@@ -329,8 +313,6 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
}
} catch (NullPointerException e) {
log.error("Unable to link signing certificate: " + e.getMessage());
- } catch (Exception ex) {
- log.warn(ex.getMessage());
}
return data;
}
@@ -373,8 +355,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
// testing this independent of the above if statement because the above
// starts off checking if associated rim is null; that is irrelevant for
// this statement.
- measurements = (EventLogMeasurements) referenceManifestRepository.findByHash(support.getHexDecHash(),
- "EventLogMeasurements");
+ measurements = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(support.getHexDecHash(),
+ ReferenceManifest.MEASUREMENT_RIM);
if (support.isSwidPatch()) {
data.put("swidPatch", "True");
@@ -525,7 +507,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("validationResult", measurements.getOverallValidationResult());
data.put("swidBase", true);
- List<ReferenceDigestValue> eventValues = new ArrayList<>();
+ List<ReferenceDigestValue> eventValues = new LinkedList<>();
if (measurements.getDeviceName() != null) {
supports.addAll(referenceManifestRepository.byDeviceName(measurements
.getDeviceName()));
@@ -545,7 +527,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("associatedRim", base.getId());
}
- eventValues.addAll(referenceDigestValueRepository.getValuesByRimId(base.getId()));
+ eventValues.addAll(referenceDigestValueRepository.findBySupportRimId(baseSupport.getId()));
}
}
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
index 749bff73..72b5594f 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
@@ -221,26 +221,25 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
ReferenceManifest referenceManifest = getRimFromDb(id);
+ List<ReferenceDigestValue> values = new LinkedList<>();
if (referenceManifest == null) {
String notFoundMessage = "Unable to locate RIM with ID: " + id;
messages.addError(notFoundMessage);
log.warn(notFoundMessage);
} else {
+ // if support rim, update associated events
+ values = referenceDigestValueRepository.findBySupportRimHash(
+ referenceManifest.getHexDecHash());
+
+ for (ReferenceDigestValue value : values) {
+ referenceDigestValueRepository.delete(value);
+ }
+
referenceManifestRepository.delete(referenceManifest);
String deleteCompletedMessage = "RIM successfully deleted";
messages.addInfo(deleteCompletedMessage);
log.info(deleteCompletedMessage);
-
- // if support rim, update associated events
- if (referenceManifest instanceof SupportReferenceManifest) {
- List<ReferenceDigestValue> values = referenceDigestValueRepository
- .getValuesByRimId(referenceManifest.getId());
-
- for (ReferenceDigestValue value : values) {
- referenceDigestValueRepository.delete(value);
- }
- }
}
} catch (IllegalArgumentException iaEx) {
String uuidError = "Failed to parse ID from: " + id;
@@ -396,6 +395,8 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
byte[] fileBytes = new byte[0];
String fileName = file.getOriginalFilename();
+ BaseReferenceManifest baseRim;
+ SupportReferenceManifest supportRim;
// build the manifest from the uploaded bytes
try {
@@ -409,9 +410,18 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
if (supportRIM) {
- supportRims.add(new SupportReferenceManifest(fileName, fileBytes));
+ supportRim = new SupportReferenceManifest(fileName, fileBytes);
+ if (referenceManifestRepository.findByHexDecHashAndRimType(supportRim.getHexDecHash(),
+ supportRim.getRimType()) == null) {
+ supportRims.add(supportRim);
+ messages.addInfo("Saved Reference Manifest " + fileName);
+ }
} else {
- baseRims.add(new BaseReferenceManifest(fileName, fileBytes));
+ baseRim = new BaseReferenceManifest(fileName, fileBytes);
+ if (referenceManifestRepository.findByHexDecHashAndRimType(baseRim.getHexDecHash(),
+ baseRim.getRimType()) == null) {
+ baseRims.add(baseRim);
+ }
}
} catch (IOException ioEx) {
final String failMessage
@@ -489,7 +499,7 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
// So first we'll have to pull values based on support rim
// get by support rim id NEXT
if (dbSupport.getPlatformManufacturer() != null) {
- tpmEvents = referenceDigestValueRepository.getValuesBySupportRimId(dbSupport.getAssociatedRim());
+ tpmEvents = referenceDigestValueRepository.findBySupportRimId(dbSupport.getId());
baseRim = findBaseRim(dbSupport);
if (tpmEvents.isEmpty()) {
try {
@@ -498,8 +508,9 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
newRdv = new ReferenceDigestValue(baseRim.getId(),
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
- tpe.getEventDigestStr(), tpe.getEventTypeStr(),
- false, false, true, tpe.getEventContent());
+ tpe.getEventDigestStr(), dbSupport.getHexDecHash(),
+ tpe.getEventTypeStr(),false, false,
+ true, tpe.getEventContent());
this.referenceDigestValueRepository.save(newRdv);
}
From e9c33f2857fa1bb0937342ebbee7a593d569b41b Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Wed, 12 Jul 2023 13:15:33 -0400
Subject: [PATCH 06/12] Added jarkarta dependencies
---
HIRS_AttestationCAPortal/build.gradle | 7 +++++++
HIRS_Utils/build.gradle | 3 +++
2 files changed, 10 insertions(+)
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 49746e8c..3ab2c284 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -51,6 +51,13 @@ dependencies {
implementation 'org.junit.jupiter:junit-jupiter:5.4.2'
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
+ implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
+ implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
+ implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
+ implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
+ implementation 'jakarta.el:jakarta.el-api:5.0.0'
+
+
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
annotationProcessor 'org.projectlombok:lombok'
diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle
index ea0abd57..59ff2e43 100644
--- a/HIRS_Utils/build.gradle
+++ b/HIRS_Utils/build.gradle
@@ -36,7 +36,10 @@ dependencies {
implementation libs.commons.codec
implementation libs.commons.lang3
implementation libs.minimal.json
+ implementation libs.jakarta.api
+
+
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1'
From 29ba16cdb57991f0b39e04049f70036351b74a7e Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Thu, 13 Jul 2023 16:40:15 -0400
Subject: [PATCH 07/12] fixed issue with bootRun on RHEL
---
HIRS_AttestationCAPortal/build.gradle | 2 +-
.../src/main/resources/application.properties | 2 +-
HIRS_Utils/build.gradle | 2 --
package/scripts/aca/aca_bootRun.sh | 2 +-
package/scripts/aca/aca_setup.sh | 16 ++++++++++++++--
package/scripts/pki/pki_setup.sh | 7 +++++++
6 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 3ab2c284..45259c42 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -56,7 +56,7 @@ dependencies {
implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
implementation 'jakarta.el:jakarta.el-api:5.0.0'
-
+
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 2250fc39..288f48c4 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -17,7 +17,7 @@ spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
# Tomcat Config
-server.tomcat.additional-tld-skip-patterns=*.jar
+server.tomcat.additional-tld-skip-patterns=*jakarta*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle
index 59ff2e43..eb44b057 100644
--- a/HIRS_Utils/build.gradle
+++ b/HIRS_Utils/build.gradle
@@ -38,8 +38,6 @@ dependencies {
implementation libs.minimal.json
implementation libs.jakarta.api
-
-
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1'
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
index babe01be..2118ba92 100644
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -12,7 +12,7 @@ declare -A props
if [ -f $PASS_FILE ]; then
while IFS="=" read -r key value; do
- echo "key is $key, value is $value"
+ #echo "key is $key, value is $value"
if [ ! -z "$key" ]; then
props["$key"]="$value"
fi
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index 27326922..d89cd894 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -1,11 +1,22 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
-mkdir -p /etc/hirs/aca
+if [ "$EUID" -ne 0 ]
+ then echo "The first time this script is run, this script requires root. Please run as root"
+ exit 1
+fi
+
+mkdir -p /etc/hirs/aca/
pushd $SCRIPT_DIR
+# If setup for development start with basic spring config
+if [ -f $PROP_FILE ]; then
+ cp $PROP_FILE /etc/hirs/aca/.
+fi
+
sh ../db/db_create.sh
if [ $? -eq 0 ]; then
echo "ACA database setup complete"
@@ -20,6 +31,7 @@ if [ $? -eq 0 ]; then
echo "Error setting up ACA PKI"
exit 1
fi
+
echo "ACA setup complete"
-popd
+popd
\ No newline at end of file
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index 019473df..cf2c2a52 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -11,6 +11,13 @@ PROP_FILE=/etc/hirs/aca/application.properties
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
echo "SCRIPT_DIR is $SCRIPT_DIR"
+
+# Check for sudo or root user
+if [ "$EUID" -ne 0 ]
+ then echo "The first time this script is run, this script requires root. Please run as root"
+ exit 1
+fi
+
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
From 7a24d2c79bc90262a13792caca364c2cebee2476 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Mon, 17 Jul 2023 16:15:57 -0400
Subject: [PATCH 08/12] Adding UEFI unit tests
---
HIRS_Utils/build.gradle | 22 ++-
.../tpm/eventlog/uefi/UefiProcessingTest.java | 171 ++++++++++++++++++
2 files changed, 186 insertions(+), 7 deletions(-)
create mode 100644 HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java
diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle
index ea0abd57..da399e5f 100644
--- a/HIRS_Utils/build.gradle
+++ b/HIRS_Utils/build.gradle
@@ -35,16 +35,24 @@ dependencies {
implementation libs.guava
implementation libs.commons.codec
implementation libs.commons.lang3
+ implementation libs.commons.io
implementation libs.minimal.json
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1'
+
+ implementation 'org.junit.jupiter:junit-jupiter-api:5.9.3'
+ implementation 'org.junit.jupiter:junit-jupiter-engine:5.9.3'
+ testImplementation 'junit:junit:4.13.1'
+
compileOnly libs.lombok
annotationProcessor libs.lombok
- testImplementation 'org.junit.jupiter:junit-jupiter-api:5.6.0'
- testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
+ //testImplementation 'org.junit.jupiter:junit-jupiter-api:5.6.0'
+ //testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
+ testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3'
+ testImplementation 'org.hamcrest:hamcrest:2.2'
}
test {
@@ -55,11 +63,11 @@ jar {
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
manifest {
attributes(
- 'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
- )
+ 'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
+ )
}
- //jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
- archiveVersion = jarVersion
+ //jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
+ archiveVersion = jarVersion
}
//task generateXjcLibrary(type:Exec) {
@@ -67,4 +75,4 @@ jar {
//
// commandLine './genXjcLibrary.sh'
//}
-//compileJava.dependsOn generateXjcLibrary
+//compileJava.dependsOn generateXjcLibrary
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java b/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java
new file mode 100644
index 00000000..183af293
--- /dev/null
+++ b/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java
@@ -0,0 +1,171 @@
+package hirs.tpm.eventlog.uefi;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+import com.eclipsesource.json.JsonObject;
+import hirs.utils.JsonUtils;
+import hirs.utils.tpm.eventlog.uefi.*;
+import org.apache.commons.io.IOUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import hirs.utils.HexUtils;
+
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Class for testing TCG Event Log processing of UEFI defined Data.
+ */
+public class UefiProcessingTest {
+ // Variable files collected using an Event Parsing tool
+ private static final String JSON_FILE = "/tcgeventlog/uefi/vendor-table.json";
+ private static final String UEFI_VARIABLE_BOOT = "/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt";
+ private static final String UEFI_VARIABLE_BOOT_SECURE_BOOT
+ = "/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt";
+ private static final String UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK
+ = "/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt";
+ private static final String UEFI_GPT_EVENT = "/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt";
+ private static final String UEFI_FW_BLOB = "/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt";
+ private static final String UEFI_DEVICE_PATH = "/tcgeventlog/uefi/EFI_DEVICE_PATH.txt";
+
+ private static final Logger LOGGER
+ = LogManager.getLogger(UefiProcessingTest.class);
+
+ /**
+ * Initializes a <code>SessionFactory</code>.
+ * The factory is used for an in-memory database that is used for testing.
+ */
+ @BeforeAll
+ public static final void setup() {
+ LOGGER.debug("retrieving session factory");
+ }
+
+ /**
+ * Closes the <code>SessionFactory</code> from setup.
+ */
+ @AfterAll
+ public static final void tearDown() {
+ LOGGER.debug("closing session factory");
+ }
+
+ /**
+ * Tests the processing of UEFI Variables.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiVariables() throws IOException,
+ CertificateException, NoSuchAlgorithmException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of UEFI Variables");
+ Path jsonPath = Paths.get(this.getClass()
+ .getResource(JSON_FILE).toURI());
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_VARIABLE_BOOT),
+ "UTF-8");
+ byte[] uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiVariable uefiVariable = new UefiVariable(uefiVariableBytes);
+ UefiGuid guid = uefiVariable.getUefiVarGuid();
+ String varName = uefiVariable.getEfiVarName();
+ JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
+ String guidStr = jsonObject.getString(
+ guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI_Global_Variable", guidStr);
+ Assertions.assertEquals("BootOrder", varName);
+
+ uefiTxt = IOUtils.toString(this.getClass()
+ .getResourceAsStream(UEFI_VARIABLE_BOOT_SECURE_BOOT),
+ "UTF-8");
+ uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ uefiVariable = new UefiVariable(uefiVariableBytes);
+ guid = uefiVariable.getUefiVarGuid();
+ varName = uefiVariable.getEfiVarName();
+ guidStr = jsonObject.getString(
+ guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI_Global_Variable", guidStr);
+ Assertions.assertEquals("SecureBoot", varName);
+
+ uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(
+ UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK), "UTF-8");
+ uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ uefiVariable = new UefiVariable(uefiVariableBytes);
+ varName = uefiVariable.getEfiVarName();
+ Assertions.assertEquals("KEK", varName);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined GPT Partition event.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiPartiton() throws IOException,
+ CertificateException, NoSuchAlgorithmException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of GPT Data");
+ Path jsonPath = Paths.get(this.getClass()
+ .getResource(JSON_FILE).toURI());
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_GPT_EVENT),
+ "UTF-8");
+ byte[] uefiPartitionBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiPartition gptPart = new UefiPartition(uefiPartitionBytes);
+ String gptPartName = gptPart.getPartitionName();
+ UefiGuid gptTypeuid = gptPart.getPartitionTypeGUID();
+ UefiGuid gptUniqueGuid = gptPart.getUniquePartitionGUID();
+ JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
+ String guidStr = jsonObject.getString(
+ gptTypeuid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI System Partition", guidStr);
+ Assertions.assertEquals("8ca7623c-041e-4fab-8c12-f49a86b85d73 : Unknown GUID reference",
+ gptUniqueGuid.toString());
+ Assertions.assertEquals("EFI system partition", gptPartName);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined GPT Partition event.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ */
+ @Test
+ public final void testUefiFirmwareBlob() throws IOException,
+ CertificateException, NoSuchAlgorithmException {
+ LOGGER.debug("Testing the parsing of Uefi Firmware Blob");
+ String uefiTxt = IOUtils.toString(this.getClass()
+ .getResourceAsStream(UEFI_FW_BLOB), "UTF-8");
+ byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiFirmware uefiFWBlob = new UefiFirmware(uefiFwBlobBytes);
+ int fwAddress = uefiFWBlob.getPhysicalBlobAddress();
+ int fwLength = uefiFWBlob.getBlobLength();
+ Assertions.assertEquals(1797287936, fwAddress);
+ Assertions.assertEquals(851968, fwLength);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined Device Path.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiDevicePath() throws IOException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of Uefi Device Path");
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_DEVICE_PATH),
+ "UTF-8");
+ byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiDevicePath uefiDevPath = new UefiDevicePath(uefiFwBlobBytes);
+ String devPathType = uefiDevPath.getType();
+ Assertions.assertEquals("Media Device Path", devPathType);
+ }
+}
\ No newline at end of file
From dbc11f15c45304f7b68fa05120b4c866bdc3b4fd Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Mon, 17 Jul 2023 16:17:24 -0400
Subject: [PATCH 09/12] Adding resources for unit tests
---
.../src/test/resources/tcgeventlog/TpmLog.bin | Bin 0 -> 7549 bytes
.../tcgeventlog/TpmLogExpectedPcrs.txt | 24 ++
.../test/resources/tcgeventlog/TpmLogSHA1.bin | Bin 0 -> 18675 bytes
.../tcgeventlog/TpmLogSHA1ExpectedPcrs.txt | 24 ++
.../events/EvBootServicesApplication.txt | 1 +
.../tcgeventlog/events/EvEfiGptPartition.txt | 1 +
.../tcgeventlog/events/EvEfiSpecId.txt | 1 +
.../tcgeventlog/events/EvHandoffTables.txt | 1 +
.../tcgeventlog/events/EvPostCode.txt | 1 +
.../tcgeventlog/uefi/EFI_DEVICE_PATH.txt | 1 +
.../uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt | 1 +
.../tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt | 1 +
.../tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt | 1 +
.../EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt | 1 +
.../uefi/EV_EFI_VAR_SECURE_BOOT.txt | 1 +
.../tcgeventlog/uefi/vendor-table.json | 233 ++++++++++++++++++
16 files changed, 292 insertions(+)
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/TpmLog.bin
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/TpmLogExpectedPcrs.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1.bin
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1ExpectedPcrs.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt
create mode 100644 HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/TpmLog.bin b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLog.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669
GIT binary patch
literal 7549
zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu
zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP
zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+W<odn{B`$G-G^H<Wv}R|IwKy*MdS
zeGjL*Hp8L3a0_!np!4`~Rh1%?06alPK*`iqzEPE9H)g!r+U|HH9i?yHHNAdiR`;`0
zJ%9F<95Vjy3oOGYzN17XsS2L&G_1e&=h@&3)4UU_zg=-Ia+R4xl-WaR=FA^MkH4nh
zUqDom8p`@TNzuI7AJE|OQaW6xv8LYG^66ELCF|4{ZFAx7X~^52;nVi#iRS9Nqy~fr
zDABDS(9n{1$?(7%1(}4tXP4u7MapxJGh1B_?zPB_i=Q57TewoFK`2Ros{zjeH4ikO
zES9>lph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@<Fp_CxV@j}?c1$e)PPDvqUan-R
z!mg5>Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4
zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx
z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqO<Dml<f#MTWb=n3~GkMybBf*1=%3;
zVOrby_h!9$@P}_<3A0!*nf7Kz!fUN)Yw?#d2mPKfmLL9U&Ihy(k9Kp!9-;TltAu4&
zf3x+MSVx<utw^7pIc0xZZof^KN``Y$jdEu&X8Y^U({3-(-N()-sjZ&q#^nuX>w=ty
zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9j<jaTdXyZ)Qdxi3Y<oL
z#{=|Z3+fCw(^N0%-Ztsn6j^UuVj6W{Ou0;^P-@y>uwjPK7CK(#1b5-$)<sLJvX>?;
zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F
zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi
z&Oe)r<b59B@h>^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa
z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~f<F>H-np9g
zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B
zWsgMHX<vV{!dt$!Kk4?;lNXczC5UuA_qd0{JwvRtpKB1DOxfN}qL(p-#^0xGzuBJD
zsT26pIN90qe%?eihmq)^z43}QFUvhOGc(5|?NFXzdRTeZVIO_k^=(B>19xA>kmv>v
zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@
zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++<y?-&RHs_5*Kb2L!rf$rMyt}(3
zubORMYG!iUE_P=`QPg*nmY0Z|taKvL`DaPnn--65=9k1XU7s>?EVhfUPRyI@d3Gea
zVaNQ1Uu1`<De1QTcBB*CmYDr)oLEe#s=@CE_2LBzV@dQ>q2JR-H}ecZe`4CWTSj41
zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM
zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+!
z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7
zXN`9XePW<TT5+Z=%To_V4?p|xiH(Z{RlPk{t>KV$fn(MOc5+d2Po*KTVR+~#OZJnZ
zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`<OLKyNr6PT_E22pvCojH@GjeN7_xArA6D
z-hj_Tn~*Oe-m)T)C31u}j>wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k
zgibd`_HYIpBU7j?0l^up<AHu2a)m^~{w<0<oPAVsu>o*gfrA>Lxq<{jc-A?lRxE4I
z3X<y&&=&}|Au>WNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X
zTpG}FMOrY<37%iW<pTF2(4mb&0D(o~;q(s2%}DPHn)S*Q%~NgGCOaig-D9&{+Q&xx
zXv{^W<yXJAs@zX|Tn17f^F}nh!)2&9v`9n(trX500W)U>ma&lq_+$lKEVzw;u_1U&
z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlM<E2KL#KH
z#ui%Tj184aS#7y}Vzaz0WA)E8Eb}(r=T9~LrP<?+E^AxOK9Q#vl#X@vZoI;qa;zhK
z1}9vKH!&PWf6QV#c!$eSi#17$8E<<Du!4&M$XMY5V+&~c;-nMdj6^%A__~(+Evtl|
zIX80dzUamoN&VUjT|I7bmiaedO(%3}W{mVx*UPPjqB}Ugg+~r#2IVh1Lp$&3?f?5u
zw<QdpqZ93<;=c#&A7gEXDMJ~`S{;ppiD7_Wyn!2Dv)DUaX!|2RjQ$wcSy>EYnE+At
zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu<H8p#5W9*I=Sh
zhH}*q&hYy&HOLyTYcG<!JFxeH>*L(F9ij*8B`a9xa+_@3t54R9<X%_Xb#_6elXqPH
z^Nd@?&odXxm~--FyR#PBDJw>lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v`
zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W
zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA?
z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ
zQo;;=lu~%#A3YY97`+t!N*TSB_<tpZ=MGM3p-&gO)_AEuxa5_=2=>;TJ#|f*P3YYu
z<pNW!>sl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT
zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg
zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO*
zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW
z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i
zp=D@DuWGl*l;Z<c(RU;?+13SBnRm{$|NB>TnZg~YlplgWGLs>|axQSe`wrfLT>ciH
z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h
z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG
zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g}
z(ZXN<Q+D%zk+<R<>z##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX#
zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c
z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th
zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2
ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&}
zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi
z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V
zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm
zY%1<QJN9kWUk0r7{O0?l@Ln?;zDr`MXGAO0OmV^17z?f<yISe<W}hv1yw3AA+x3i+
z385Cbws&7>{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k
Z3Uxc}%4JljeszIlpGQT``p<y<e*pfmQL_L5
literal 0
HcmV?d00001
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogExpectedPcrs.txt b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogExpectedPcrs.txt
new file mode 100644
index 00000000..c7828a7c
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogExpectedPcrs.txt
@@ -0,0 +1,24 @@
+5ef6c69a589a96b5ade6a09e960eb341e6f68a8239df66be34e5e991ddde97a8
+0f16d93fe0cbe7114fd9fefeb1d98a0802b184b6077f05275269aa90ebb8a993
+966eb0b055e5b656f81c08ed1b2107cdea5740f321382d07a0eade7d014addee
+3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
+c919e77702cb066016b575c008659ba7d758b0b4c3f9df29658e1770699823d1
+45f6dd68feb493ec2f371f2fbd2f904181a20e9491102304f239745f6fd1eaf6
+3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
+65caf8dd1e0ea7a6347b635d2b379c93b9a1351edc2afc3ecda700e534eb3068
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+0000000000000000000000000000000000000000000000000000000000000000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1.bin b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1.bin
new file mode 100644
index 0000000000000000000000000000000000000000..95b74c381d0edd1fcf5b74960f946d452bf8222a
GIT binary patch
literal 18675
zcmeHv1zZ)~*7xDi-3?OGb?8Pyq`SL24joFjAd;e#QX(L&ASo##NGmCV3Zl|2{mub-
z?(-bI*ZY3od++c4ec#<MduGr6&z?Pd)~xlPHESOb2n0d}mPkh9c#1ki;!7qJq^?)K
zuR3t@3sVC7WuQ=RT6rH!Pa9fQTT3q=Pg@&WZBAJ&9aW$b1VRIrF7B0brf^UnHSxZ`
zbm!H@oC-c#JYfH&LuVZ<YF(+qa<%PN(t1%C9syV)D<i*Lu3u40v$b({q<e^r!dFEI
z!-Mc*PGKw1`gz;1ZUOkvH^;*ps#4O5s!NHllDf2IN0@`q1b{lr+4=b1)DiqrY|z|2
zMD|-4uw#J)I|nRjgKR<8ARmw?u$BQqfj@5$!bPKF@7=b|(4(HbNF;pwcBE_n&=6s3
z1M%lZ!RKv(`hhxF(f}!g@(kM^&Zj+6im81}Y{I_oc~MslU<Oq6+>bIpsYM;7r7Mol
zn?S-5b0Fd1s9Z!a0vL>^k=GIxw^-LK#o6oMKjM%F!A3!6i&lu<!$v^BL<T|Zc`za9
zD2Td9D1=~LZ5|v57Oa4Vg{))iZ|TKD2*HPyQL!+zpgwLkv|3PWXC49w9&9HD7W!3N
z7Z+MZH)}2)8VEIPA0igXANy!ETr9oqpq{R@%C-TJOQhI5f)GIn4=;ol0ueGI#pdHV
zFY-Ykf=2(oj)Wu7|9KD)kU@yy2)H0fI06PZ9037TO)DxDyJT;`KyVd{cBQWLD*4o?
z;JY?gWrHv^juLv~({{2dt{2%XL6b+f+&?lu5*}zQeRLTd(oumCSt0ZkG_$=isx2tx
zOYUpKJi~MaLoPNCw3fDblX{!=jlWQh*_6oI6HtQQ?ba|JzI!`@#H06`M0%OG?BlJc
zP{Z#L4NdnOe7ic>wbzoV(BQaXo~WaKl|SP;p+1PCo=<7;r5diOMB3N<-oghqNW_~T
zGgg$2#lfouOgDNQ&1E~xMKIo9&S~|ypO*K&WomDLP{!*as<@<%4~e#7Y$|EJ&OAni
zjfZ?3lxsP^&;4$?tkC0AXn0<e&1RL^vl8n<k2F~@A_54ZKn@}c!2#|lH7)|eDH0MQ
z7`zQ3fRzbhWi$v1umU3>oZWS593&DXqHEA3Dm+@P3_apCkz)lig+ZUsg?}DsK-z$T
zMgVE;)&<PJ@~p~JbYvVLHF4_Z9YpYsn_zWp2OSYCUb9Hny3U8)N#hXWMJ`-Z(OI}^
zzqx@EW54D>G3nq@*(z1%cF*vV7G`$(OD$$9mrElz`6JQ|***${91JnNYnUV!x*79s
zAHw3Ny?HXtWiBOXy`y8ji95nuu$Uh(QT*n#ktuGL&G|#w7)ue;u2FBRg$O~@*y&iu
z01fD?b8#SQ+Gs^VLz__P{@g~yS1pzlv3em4-2Am*Oc2j_wbbsnofwK(q=-qr&5VG{
zZ5*=3G8`_`$Sw*Dtt4r}lDd?N$s(_7Y$d-`5?_|<F)n8jeN-5mmVhy#oY3h)dN-Wz
z=t3dX>OM-kzt>s8)ob2s9wt(<Ykg%K0;m*tE%QSUfG~cj8)cB(FI2+j57^kRRYC`#
z5=wul1m>)Atya^=H7bIBGTTdK{ctzw-}fZ`StaoD3j->Fm+yy4;N=%Gf;j&V=_UpU
z-MMa}_?vD5R1&S6zqNy<o4xIse)^qS7)r<ydnnDSA`@S>mTAYC%@;Q}u!*m@6J-4{
zsp|9c>C8Jjh%shDV)(3X_uN7Geeu)Kledm{zO3yHNSU+L&O@`6HWQ?!o@KP%=hI#<
zRB%s0Di-usGPJ_ku6cNyXKUByb{Hi}o_}+`KW#*++BRAN1O;~|bF!T;s#F>${m?7%
zd701Dp^1WnBIS17$^EK#Z@%43P}{v`7(o=5-{TaJY<_^c`B~5X5!V-<(;d%LipkDP
z&Rw}1re<ke-6oV2n<W(|@kUQOaA%q~TDGYWu0Jm++{zH(E3p;#W5H_AMV8te-wqQ*
zNMskOZ$3o9K(#w9ksc;8(?prB4hU#JR||F!n}0$rfFLw5Rl$Hn1|bRkwPJu-i*vn!
zin@IV@6Gs)!I^v3wI|{hp1I#V;Y9LGZ_vijBJY|oj?30Ub-{zl5}NPZUS~F^<=@Kh
zHQQ(nLYl$BcOi>;Z>Q>N%W~N(zky~_sZU*oy`Jd3EWyqv%6D<kN~I#_FJ<qtE=<1j
zl{czfHjW8&Z0q?*b;OC2Q!67UtmzI)FTbZW<Mk~}vr_&#S7fE<8-e)*K?>D?qn+E%
zm=wiCo)Md+e(nMx)!m|z<MYLd&<MpQ-*{{PfHCTnW{v>@krj=h<;gGcA$v(e8W4PI
zHcvzSueJ=SFTQ+Pk(Mhns~lOXy$<yrnB7&YvO-VGd5u1^<4{1>#ruFz%68D+_1@Oo
zPW;NJamsfTQDktU^%ZU`l~!<|>ZCgh!jk|plyib`gbV_;WFGh#BJ!%XSg>p_Ci*Kw
z!jZoKL}2LriN~<S7>+#yBf<?VBrN%_&)5%pk4A{0Z|UXW=w|N?b>qQ1yX8ozgs57!
zHm*=N8=gxLD%cZ+K}f9XXzdC0g4%i0%0fNep`MoBj=&LO5RtPdj*$14^|U$;jsU;Y
zu=Ml}pjEZ>bhh<&cd@j#1?UCT`-~|7)PR?t7sAiOD*{ss0C9j71z<%;Sm?i`&ukEu
z^FGu4y3fjT%Cxf5w7d`=9)K(SV-C^vr8cg$T%W0msq@?7q5k!&U{h4=DWwH(w$D|#
z%dShyAq}65ta$_RN!4*aVLlQjPQBf|GZ$H%nZ>cV^DKD`{lmvLq~bCN)vUr6ibkf*
zBh8SWDD_0z=z$aN4-Zbm+g85z4{U2YS&3rGHhg3}K0)4p(?#?c|0BcA1ovl!)T+xB
z3)u%G9pmkNZ@zSKFJ!D<jz?Th*o^<ysdOldPk<R*E1%->?laQOr5!$`B|HQ+kA?jR
zLh(~ZbZ!UVYp0Fs&)=1Muo;vd;*11H%xBq(y=G;5aO7#2zf_U3wktpw+6`WwH-DYu
z+rMU=(q0)L6&Vl{@=2@sOU?~c$3)_DWf6{`4vdsCz!uTjQ4o+2!i9(t049L|`V(ug
zI+E?rl`QPDCm1oF)GfR5x-QNfLjK1AL|`PWOBevN_5oReWI@spOqkxlg%J{jXb3K>
za7IXwA&3AW`HR|-v(u9O5Nv?oI;M7?K^IL-l-{WrVgfsY21ys94bjY1&sB|9cJTIg
z7v<)*_H^NLy^v)tYp5%?yR#!~FSolV)W*l!+lw0z3qZyJ(FNod5L!T1%>iM6a034j
z0WJUvu|PosE)*FV6#)TB2ciYhxF|!w(N}+*$j{I3S0}Rd{3p)f4fpsWh6987CNg%1
zD2)u<%O-xvmO_O!o;$qpMa!;uHNV#9dJ?FVv(VS*TfnmhAt%incs9EqY&OC6&-aQc
z{aYFbVhwDt#`Js03(S$nrn`q62NaZfpDme=Kz7=8>Kpx03)oMxrup?Em&1E2q#50_
zoxh$W;f|-%EG(wc)UaVCD4(*h;@#LA4}3W6+ko5?u!5VElHGAK3k`O`z44}9ZiZho
zT?BW*OmBh=Iei<oNajhd-!U5brib3^2hj|LF?~hH2ElI}?TM3v!!|<*7qH{w#A70t
zJ`J?UE|hadrrvg9HwwIZpj8^y!%5XNr!@=0|DGw)Zc+7tueKm|*p?iFVzDf+usu9R
zO}LsH`vp-9^f-a5S)^|9bLZTAKXc?-n#>w&e9|>(u`o*eiG5i^+dk~(V^E6vwvX7O
zlFLUL(oz9)oaz`(%)V|~E9s6mDslH>kcZ?t%C(8YXbvGrr9y(1Q%a7M{1Xl<W8guT
zG_27<7y5wm>h)&C{A(5^U8o&&;Ty-BUjle7S|`dL(i187wofQ81zph>sQIk!^R&tW
zkzTtZIe>aBOPYo_TF1TSJ+=UDU=_b-<6R4}^?;@P8Y<I#lKPkzUnzHM?=nJ#AACwa
zhzq#a>4@{JfQlCR?)P4z3eb4hRvQtXk28NRWo?GVmPyqMeKo-m-pJPb7kqNqN_V8}
zIby_B!_rfN&ZyWFDoY<j;5E0ehJ0L9B3-Vad1?s9-WGcCf+=wJ3Je0-08bXYZCU-n
zCP#kFCZ7Xrvgik!<ez_mKlBd0LN$9?)0nh+4^Bk?y(I2}QS$Nd!)yj%I(UQuMhO)8
z1R(-O5Uamhj{oDgT?z=<nXSOW{~M#!mAj@$dsXJQwjn)p#Amk|Jh<=c<YoC-jwdqe
zL54Q__kNQ2T_d^B#6q@U*{@wYx2BT6Q`;qv->Z=_R<MmOox1{V>U$zRoA^o^Yi^~6
zLbxwM04tOrsI2Bhl_!KVWPTrIZ6K?6hYF?Az<H&kLd*6v1KE^`ySX>(6M4vxT?~(Y
z-my9f@_ZV2C0*|81CPGUDf-fEI%g%;8=Oi!qVhDUxBP`mrH?-)y<6p=vmesMRyR4q
zuBnKaKIAt=-%}1vMqA@4yFZ8gU6-du!bSsQixJ!2(M#!0tAuh5E7`D8Qm^|Iub4G$
zg6&aSVp=#R$4K%+O7B6n59H-(g$hHc44awqnyuvM=eEHfV*6Jji5dzagehl6BrFKV
zh2BI&{EJHeB~|<zlQf<7<Ln8w1L-zmw)4a~*FlOz7U9J4j7j2^N{oS-x>-MqY`Mlx
zcn1_pVoX*&i$BUeGSd~djfe6)(A1hrFV7qR9fD7U@DBu5WbMDWA&`zg-6+7U%uBD`
z=UuP}{bbcO@lG-6zy$GS;H}&ao1PNk6I0oycejadCWcLl#pk@(A48967BX9(^(?ea
z^m!smQxpZ3z4{$jj(t2WNrFl|%JWj4TMv{k&8w#zBYax3#vu9GW(#2_i&M@ml7ytI
zHSg)Kd?8%1w}U>HDz2&3Kpua};U%$rYl#Sz%B{gu?X`VevD8h?-Du{C?9B48#5O|%
zaSUm01$usxPfUw9Dj4Xi(Qq5^d>39+&BghKmQs>H>Q~#Nhv1)fsUJ-8GO+%cNuuBZ
zO!E5$lSCWsI%ASZa0C0lnn?=r^6>KV3tTWspvVU+Lc+rSst^8$*e^ST^-Mbu(*K%C
zo@t7ImP$TEb5VIIhwh||RoE62g5rZEi=bmOM-qa%k`jbj<JF3V(XAwBnfro-GktW2
zJ@-&mF-tl$NxVVl_;d4cPFEpWT!?g>iD85TZ__RLSF0Y)bn2OLfu~omBqZ|IFey~{
z)ULi#xuirMJRhD(?eC|GRn@YKJ4!Oze8B!tQ`mIpuyNWSJbk*1L7DzGqMn@aYhBw7
zsT&_?SeRcOtm&CieGX0wZd<=v6CkoMRbv&e+A8e+(cv=DE51TBp|=K(W}|^C?MT{a
zi)vMDG1h37P-|ktZ#C=z<5-sVamL4H<uM_R(e~;d1_bm-^z;MqYdRjF0Sy5I-#cil
zPSyDcZ!f5%FQ8aG0T<Mts3h`P9faX;`@k?q)c1DhXCZ#tN?VLV)M|N5H*jg)L;u7$
z3Cmk$(ObgZvv0js=W%;We=m;m&3_o@-{G{sWSjzMGN+K&1AD$$<#-MT0<70~eVGH-
z2&9>1D3wZG!-N$K33a!=8t@m9V1}2PmWNM;Mo6P1KBeA7Y}leOrQFa++JB-ODZ@fV
z+fq}ZN%W$v?Cu>ps-$V$BftB1ypm&kTUxXlkTtMp_3!6eu3#^?GEPe2l1lXq6exA5
zR%Q}Vqv<5Jylie@mr!J<;XQJqb5zgj36|kM5=0@5Po$M<dy>iM!`%N0v0&G9cu`R2
zdV@yoD8VplYm@ivyGx0oZ&%2+xrs=ex!>E}s$y7p89A}?t(`BtTu+&dbHm{dYX9K6
z=XyocOmx&e4muS+_H|sPb%&VR6kT4QJg0Cc@d8Ht!j<xIq>8=?DZ|{z;X5i;$@CQ7
z)VCz$ajq84S7q@FR3Fr77juLy7b1J~<kUBQp}cB0FRz1hTQB6v1Co0+(L)ZBNes2z
zW{Db63Ec_d=F)lFT-b9NBQ8Gkb&j=k(Fdr*yB}4Dr^-3}v@bF83cYmE^1KsWwIN{X
zM7~oa7N((B#LIb-e{)|Znwd;DFTB?%>pSG04pEVOIwN-v)4X&Vg$ek|Li(pDV{yqV
zP4Xn3x*r+ot0!+PBBHPr>|IK_)(OHMBft3xM}XN1(Sx{XZHPHH*HFmfyKq|loWJ|`
zMwRH8wB5N1u-vL`M_oa%BZ&`cO4d$Mvtfh*y!}A^VLz6B?THu%>__W`{Xq5AJF_2X
zKiQAie~B&zzBQcdV%ERuVwjhKRu*{Ua<p@_w)D28mG<#=fO<Lt&Is5G-MIsT2f`!5
zBg_vF$uqNYUKD^8Az_jKlCE+=IL^Du__wa=JG$9G{k&*3&R;?S-wLh9KWjN=u$uDc
zxzIl?zSv85YzEP_IP&qWl_T}(gs!4QG`*mWoZK6U-x98RTv*N-Xcd5b`bp^uk^rsy
zr>;fkx$HJUpRaK|GYRes?}Tc-ucfmX$5=3Mw7!#nXuqe)eBW~kwdhsDB{6M*z=hFe
z=7t!mlZICe=+NS8$?b0G;?kpi1y@YLPO8g}G>j}Jf~Uu_#29IF<WC1@I|x2@7&EUj
z`$OW5+0dQoZ)#hRaI`s4Yd0<{Zsl0sigG~rx@sDfufskQutz*7VCq7}ZZgoE%@7ZD
zt7V!LB<xflW3Fi66_ZZk`0%pd?@OtU+MWp}QjG0WS+e4qIahMOWuwan3Wyh$Ll&?c
zSN@?BqJ$MJa+{><u77{h{(be#4}rRs+W#{q;q9(oU*ea16Dx;diL@l+@qtXTE{GnC
z=h7glLsTKkxr({+(Q^MSCj=nAfbaq`d+vUK2y*iBow*;3E@(60eo%v`K$I@Zfcru6
zpL0L_owk2z28fOVJv1K%bhy>5iAXk!YvH=FU%?~vIw^J-QYhkAjY~&nTIIQxWEn7a
zD$FJ4yxq3IQa?qV7&nbRPVrI&L(tCY)-vTdQc^J)X<=5wM=4%G->!C}?$&vvwr?b(
zWt|RdR%J6fE*cPnqNTu-v`1>Ux0eH>z4SY@=)CxiwhH3(dXT12(O165e;U{hzFo1t
ziy4P@c;ywfXNY$F(sS#%PZB(~RbdO8W&I?D4<w4KvpQskk|ND@s84TxYowM>f>wE{
zNk5Q!V7`#YR)e4H6-URiKJea4#9Z>RiN*3PB3|(*`q%B<^r*TJ%~(5m@`U^<0*Np-
z2V}pdWEHC$b?vAx8?VRkBjPAqUC;R1do-XV^op}kKalD~;$1zi(ZN{P6L1t*^xKn3
zw|Pf8q4#0KyFTQ|_M@r#W~`JVJ*%7_`sd}mjE6=Bu0JLr55HzGWR?^5#J<u+V6%DQ
z%H@v&`4~PZyJUJ9Z~QriktvskVi9sm@ivfW8-qElpP^(i&~@$myL>btMG<6ACO~{$
zIJwE$xSy6IwL&JhF%W0sEcqC5)SZkC!)eZ3e)z352JdF&xF8LiyU~J-A)1G>eq(S%
z*gBo~HdXtJhNM)SSh>{buhp~}&+qlUxKn6qHI{3QM%&_p=NBZgCD-ua?t?!4P$*vs
z(x6|V6_sJ|h2!D=Q|dg~egUpQ=?Z9J(&3f2_jFZNiGOxH{O~D&n1MQ2f;k@ie{wx!
z{V*mWKi22i^BfY6;tUB#(!MYzSWe_;6+gd>{O>X*!1r#zfeqn@@bbZoiNJYL09J$q
z{7Y=f#V0R9ieK20a{~hTt*4?bph>iP9XGPR+=k7E#A~PtbypHQhiJa~L3>YHm2e=<
z5TEW&BZJ)z7mI@SOOlAj9nG@fvN@&@T<;^pJMUg~=kIB`8*xylJtl9hyc1Mumj}(V
za&uK~<`!^yU+83QWPZ4Xt!nuiBbaB&1!G9{F79!N@U_ozFTEUnbsf`H<|o$qml~^S
z23Ui;)N=@l9}`k~8d&MM#Dx{u_}#l^%bF8G^iTyYH)5QDX3KmQ$}u=aGJ)fX#4_P5
z`JJ#jFrPF)J@}pIe2zP_bL;fcrI)A^ZO<`NFR{#dxsK?3Wl?E$Hhpkv%10n{htZPX
zNv1C_N3<!{@I!%&tEh&t!tjLw`2>vA>_0Rh!|Ek*sAvP*m&xuefKIo@0;q+W|6@R4
zj`1JH$r}=u1G9RxNMUy%VJVQX#6MozxDbK&aEQc(tpX#E@cdm{rJ=0IZ3DIT;+ECW
z=C-l5v-ENC=5p|Mg-HEzI2giziI<idqyhxt*n=!VE+BIth6W0(9f9DS0HCA|gymQQ
zi!I0%SloauE?R0hI(p_==aMdpu0?^ahejQU^^$&lbucf|k>=iMlh!$*SCn-7WIl7-
zbq9J|JHe=Ut77_^%kvOw9X(2MYL6~WVx8dD)rWUv_>QrYE?@q%|1Q1vsJ^UqyF)~;
zzG=nl3F%C5v<5@G-sRq=BI?W-Zsw@PygH0*Y|2|(AS>xc1@D;fV~tnaF|3`4rR=j5
ztN~vLE@wus3~`N0h3%l4^P%XNO4aUFTOF$^?72zHYf&{(cIb;1XXvHA>3+{tY~d5#
zv}{$hPK_itEBPpL*!U`gHKU*(w8Hou{aYdiC+UzOnWE`6#v4eVM$(0>P%6Ju;@*BD
zlG$`~M*wA^(75x~eIax0;R2!KLiI0{IL^NF^@&v--;RCuIHaFt7ks#cd~!FXFT@bh
zwOB1dEtK@lThCp+d4&fB42>wcZMTPG)l+FV-OVSQJqu_RkNmJqU%dPP#ub*q!<hzG
zWC~GhgtA^Ld^Fje$*6lQ)mv_Z_l0MlKqr7=6K7)V@g=?!@FJ6|rDEa+V@JGq#_WD7
zMH1EOOd21KjK*|`#`gzS;mbwgB!PC#%NbSe2ByVTnU+M!!x`L)^O9j1W1rW0KOIZ1
zE~7^yqGD5G2QF<Jy}C0PLx5qr`~sZPkDTGz8??cOM<zVaQ^4}{v&svtf^4UkL2VxB
zNZ9W0!B=8d_41aNYE`0`NV?ipG*YC>N~HG%Q)O9h;ruW|zzW_^7W#D3k*5_Ke4Jc#
ziF{a{x=`!0YmL;cVhdGiniSgy81VQV?udee?8C7XTu+wE)ANXO{3FIusF$6^?gW*&
zQ4U;($G@1I$cz5i!--y5$_5SL@`}NhwAtfOLtC>CaEipmZGp!N@<k4-(r{t=6I<Ct
zb{UrI7m%&VrZZV63>m!0%WCz7$5Sjv)+@W%J|v(mdF~OGt_7jPwi+81SIEeAW;J5R
zK!L}9?sfPoea$L!{fcA9cQ@xXt9{6mKxlK1|FeYsTZsG%@c7P>%xl<%Ho5wp2CfkU
zJKGg#&+tS7R&MfobFQywW7)yu4Gz;N*6!pR%04+XXT-~$y)v(2@X8FM9w~;^$Kml^
z4|u$Ga%cV_J{`EI^wK-V3cn8zOrhxg=&Lmv8T76FhAH3R@ncNH!PHJ3@$Hu%C*%h<
z*`jjfir#Q$3~K3XvDh`+8ivOYSueBf1~+PN*l@N6o$_@Tu+2n2upm4k;o{)k=v#1w
z$Fp`XX+0Ge&5P%lSaB=12wW3C_|SNQZ|h^S`I#tE=_))v>2MLpag0wYL6Q{9fp@xQ
z1bvQ~k$JXGLUH7dXVJC_JRa5T8w&DGo%mdfnv)g0DRJ7DCt0NZVCS?iMG^J*TEai!
zKX(@!*g&h-x&shTSgJ`7Xc+8IQa(Rt7tFYSDl&8*9*;h2uBJ(Vw(Q^FN-z}0cwC1V
zo$%=a)HB6j%P`9}n+YC|*(94XRd&5T3sP8S>%-G<<KQvUJ|=eM!hYRSQm(Z(JRXZI
zRm7KbOYpJ85K5u-tcQ`vVAXcYH4_UQ7w7Soo44Tc*x1i|p{&cfP(F$v&-qwo0`!n4
z3im|Wh;qlTsN)gg{)B(Eb(oP(r_k9OA;{~KAo=Df0TYDUV9fJbE0L|=_y``42QB+H
zxO}Vz5%b;-%?-WxaVV5M6?*%n_W<1%Nwh;YJf2id6w_F?y9l*uR7xG0|B}R@h?V_7
z+V@%<E{2k+6fAf=86Q9EDYDhdgS&{5_zLe<7dW4DDZ1+5)eesJ*o+MS)PMGjK_(fl
zloLVoR^?7?W;B=kAC#{{Pp=+wJ0~GHW{AMI&)&-MsD5LThIv)1?vTxNNU`3CJxeRw
z)XoYe45>=@J3OAlYm$$#(Y0^k=9|K9apP27!?l#db&VB`u8(M1C>ufWcrN#3`{<%Q
zFHM?9WHgU)soiV!yLq`v7;1_~8`w1~f5JoTSPpdjAo?tgO4ouGhlH=|>^P44J{U0b
zS-v@vK%5HSz98C4<4!rQbRkim-}P4RN;7*zetWad3^PZ8@cUS$Bk*`(=@B}?1mcKs
z6AbWYItvk17c~rfi@IIZ21KjoC}S`@{>nhsgIUS-938EyeY5$nj%Vwx-lARs9=f;P
z37rNcz2Nb(cc*$I?uS^T2G(Mw%*r-%a@Q2^JYYJyj-&i$(uX7k9xwkI&64>eN@nz&
zsPh`f8@%r?j9i_k1?e0*DLFo|8O_4uHDh^ByuxdVh9rr*>FDF*>U08Huv!aVv=413
zWJ4?k;PFOZ6~D#mE~U<kOm`bkamhq+aL?M`JRq_c{M0Fp%WeXXccvx`^`DoHD@s_p
z@x%<pB4tqi{?e`aeuBjz&(}}6f6})uu{!bzZw)`DYSuHgxzx9=v8R;_2n)n`4yS(S
z8t%o1Zy!p;a_aGF8s}{#4cCp<zQ;C!9kw$&HL3k|Ogk8&{$}uakIf|L2)$ykPQf*+
z$CvLO_2AL^;qDMReEl@p+IMX21CRG~maNl3a)NAqm&i&VK-_izT8uL69*5}hnX@a0
zgQ5K={9Fr}{h(=%-ecmpS+SYs@K)a9iBjrYX56luX)I$C@OXdb$_zn{gLRLf^7-o4
zIoY^jk9MP(4uxmN-+K#{YhJ+P!-^Yhn<7VJoYPoKbi!WW(Iy)#B_fzW>nRXB<~v=V
zhsTFciw!*8MUx%Kx!XA$)1PH1-7oP4561w?KBXt5Z*C8dziD(gYL~Q^I{1xxd!9U|
z$JPeDu+`*g&TG++vneDJmGJnuF$KeoJGDCrm8EHzPL}p%W7lKd60fD&kb2U+FqCV6
z$H#B;KfMony+;hr?@vOr?L$}=lgJepc&=eSd*iM34jnu`;dcJb!9@%z)W=@7eJrb*
zE2H9@8m?br56j1JT0<46;PDyvMy<P&pOdtBH{vy@rX+(%@V%h#iewAyY?^U-jAY>P
z_mvz;c`O~cbdSHB>{u+tF4LU6t3(3P*tPZUq1HU(hsPJy64MCkj^<Zl%QG7WIL{Z-
z;^^FYG~wu@qM#7vjrIs0|7eR_BSEd|q&yQXcwcR}5o6i(^WGYCy@);a`K+m20zAIl
zf$2k<E7Rz=EeDg>$)KqBVyb--I3Fv*ULsozi|f<E<13abcr=*_yjJd%a@pgHtnidX
z*+WG6=<j_OLN9r1ln0Nm{D_Eg7{oC}xPQPW3jU;SuUWZ_Uxhc_f0brdMGE``9$%||
z>9e3UO}PVdf*86GB1L-xRv#$}n+R2}L*?{5wk|xre%*gEB44SCkIp(ZR)DBKm4mO6
zY;ndtRwZ0un^|8F9^Y^s?Iv<IqWQ*KW!G9U{03h;hsk~2%Yoo{7NPN6l}UJfb4-!L
z7jip=>{_(dP|b+;`%e9r2T236bFD@`MNZ-TH2z)aEoJgP<rC8>rS!GW$PRC%<z3^T
z`C3TQU>e64+wqhA?Ivw6u3lveqhhHorc{X-e-&?x#mqu&2}WJ|oYIjV0^grkxO{e`
z^^5xvcXbF~-QB?ST4D;B$ir&*)Y95*|9Cnc9^dC26)!cKd(YQ^xHhF-Q%TW6y>bkV
zd@6SQk=tGW6Cm3DuMw03Vh7I+#{$2UB^)b}>~%@*cU;!I(rjy}KQ3^<x+66JkDusU
zx+}0_&n_6Op5Fgb(b3YB6jkY~i>Ip00GQ<a)&V^JD+m3On4Zj-$)%3oP5BW+dEwQj
zkSCE8SMNX#KUNL@gg>5flVJT8`O;gWT#0h}C8+kK{YmmZuT)ZW*-PrN>7Vr5iFL8M
zKgX-lqs`a*NBD<BLKZPG1|wEcD+G2~@7!Dw;QMnjSi?Kam7(maV9McP?-}<{%P_Ls
zr09|l2|W#JCecsw(@RQisgw{*K$V(yYv@FGG$U+(n4-iDQ4T{|i@BrQ7`}bohAiv_
ziRKdpqmq|GgIDTE)+CY-YBNd$ACs><vaW4}$NSBY;}&4Yo|=gvP+)w%WQFdJMTn_w
z))(`6JvI*0nHwJ8BVH{+U!JjJ;eE|#M(B0gyK*C%z9M<<RepSrNs%v+@OUwBjJ70J
z=g=}mF+<;aiFE0NCvm`VS4Jr3aA%QVeF;21HFI@)=Ror#pH%1Oe3HUItf!XK@t#)a
zqpgC?<_8vv@OT@2<4FSlOfI5wy<L79txD(bSo>E&{)RqZ*VQ;}#^vDgaxZ%-d@u%^
z6pn<nf@}z8Y*Z^IlEwSuF27QZa<rel4Rf|40ZWo&um7SP28*VbETyE@iw>=fc`w+0
zSV906*d&3rVQ8C%GsaS%BTA1srmCNc+p%ROus<FEB2dB55ZG1;%)?3#YxpuOV}NC)
zuzdrti~xXuWnefZSoQ*zbpsj568Or8U;)d_VcFHoz&>{@V2ct4c?}#3?uRuH2m>R)
zw)|mRLa<s^poqW#+eZ(}U;!r}D_AShKn99|WxTL%{E=Ws{_c{0hk*sW{SE{3P5%x9
ztN$Gab_Kt~z%KfC7+5<1E;Q(Es>^WU)X_e@frX-I9;5L7q>T-5pJB0P8q!)iz|etA
z0IY!b*HU2h$5gaR-a%?unI4t_>GqHEBHMeUNih=Xds&lj-;NpyUIYV%0vOn0jR2{<
z*vI0<)=u+%1iw)kl>18ZmDoEZ3gPeI45_CdPwxe-VXU3a#RHBxMg0*;2yDZW9OxQI
z5kw34*#babKm2U8fDg_Rm>A~`c;R3R6!5$KE>%i&<3>b!%HIx<aGa12n)hv$F7##1
zmMhaz#=l|DmJ32VKkq5``L+J8z5i}K>~R9dA~e9?XnXKlL;{mz9Y;4;$FOGi;uT?_
z4t}Bz`i~R9?k_A|OaW8}uG<FiG<pJe2Mj_yyGO8g<5h>3>^=nXMYb~680A!Ekqc|n
z6#>V=w+ox{2ur@_t3TR>fM9<-XYE;?1xWjxc{6<g91;TCxhz~93_2ex_<INjBO&nv
z5_EpgO#ae}32^rufP3W%e5DZt@q@U4Yp?^#AW+CD(jQkLvu)$gUCwIrD7uvurGle(
z<W_wX6EJjt?<#hGc@?~8?e&1vfh({Aqyr`^Hh>JN0g@yOVgYgukRH$nR^Vtb0v2dU
z8u4s86at`NP-qY_89{|AJv2`Vel-586(SaFdg(9I+4Uf~f!5@0IA4k7N|%wVY7SAV
ze1@HsALxbR*|^#QK4cb<7SIP;V7$D6v4P!FHz4;0_Q;;eG^}L(hlJAtc!4v#B8V5b
zQz9Tvz%LD(YzjLgAR+1qKn{}yW*#i--r%|nqHWuJL6oK&#!1~c@<8R^8%0vsfk3*D
zv2$7AI~&EXzZpfr|Ep2N7C%4p?{g`5$UhopL0|~~wZjZNo}us6NM7hXHu0H-Tz#Eh
zLn(NoDNsubbo0k(f_OM{mSQ<a@iR$4Nz7N;fjfnJb`da}GzWWR4eX*+FvD{u?eiu#
zKm{q-(#$Ce!1Mn1Vyw>$9B?e`QzyK|2R>&0C$bV2@bcf7SM;CA%Kt=G{=Ynz=Rc8^
z|9?kT!bkz|DiS*Md0%7$q7-r0od485;h|RryX3-sppJ}o<^`|<(V7v#R)3`6A6xL$
z2t<lVfB~~^q5lp_c+q>rk}JH>-492k(B#{BW2XG2F1@WV;`ZBg1S6^VAlVCZOJ-U}
ze*J3o<|4~IX05fB=v9~6Sv%k?8jnpauFZjDAJ<7t;LXG{z)lQH!ap{&fACfyR)`-6
zKBYR37eWU$NMFt+<4CcG``G{2fKGWC9-_0KIskqJ15?q<#g-Oo2TW4^+ca1#)T>Y*
zdl%r>F-RfAFaw5xg(GX}26Y31NnL1FyluF6fJh%$1tJ#vUn_uiyu58ae;s^!7I%6!
z=aq+thgX0H2o*Y;0t=MRivL@>`Mb%lt;V7x-m7$`6_zVGdSxx|-+OM&1aqob;g+?z
zDxl#HCd40F(lEcqcbn9e5YbtZ602_d7{wpZyLY3t@p=y)CwWl0;b765uWGnc6<Xg^
z?k5d&XJD(@+xnaC55E;wQo5d)njJz>5H&q;5Wm-vPsf?1BQ1cZPnh7+%!;C+6#Olt
z#Nm<HOH@kU`?=&XH~~!#8JxkXS_`{Nud?>pSLz)Un<wvRNEyGV@hDv~(SPr;FNHB<
zTy`mvQ-eZl?8BC`Tat~s@zW*Rc}u)0qxEm|GUEtcCv-HE4Q)DiWWuyOX%ua)_qbf%
zKy$}beVEHToJ*x&too_);caAONj%xS^RS_?B1l-lpQas@Cud-GuvPDnBHd!Bvo&J6
z&2MD=m&r}P1pG9^^)K^ZWnm#TG)UqQQHXG^U@m_&@1G)PtS?0JY&NTxtu^pdI-FKO
z=rgD5nGkYXTb@OY{`Ci8&L&7*3EK62_$1;f`}HALEegblE`moI+43o`+tU2PM=JE6
zWFYPEigxQ#qfQf)=p9VF@ugjw@6?>mG|5i6LgqD<=9HHqe5)|lwf#uMW60Z=1W{6t
zLEx>fyfFo}bjK)x%DdAFjFfCE3{r$_uQ{{o<L0qia{TMT{gQ~mcGJeiuS66yPqjZ}
z^JphiisAVnk~V%01Ba%$t6Y1QRwY5)PjeeQ=KxMT+?S^g%17u%)$GcAy)rXcV7ijh
z^nCdE^D+&erWew4anGtCwC@Ojv!XA1&QZjVQQjlAI)V8iSMlBz^H9gTk|o<2MAHL^
zIGA=_RIV-c%zo`MX)Q-i7|rL}<U*Z|@}ycyxezDSzowxX+GuNMx6$eUXVh7!PdF&l
JFC295zW@}=K7#-N
literal 0
HcmV?d00001
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1ExpectedPcrs.txt b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1ExpectedPcrs.txt
new file mode 100644
index 00000000..a6676a67
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/TpmLogSHA1ExpectedPcrs.txt
@@ -0,0 +1,24 @@
+1f1e9bf7dea0be1c37c999c4233b0164ed577607
+46f041010f19e5e74aa33e04467c59759af3fca4
+b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+f36f2acdb5134d2560e7784002f606573bac99d5
+ed6db334e4e0f3811c18b9e79601b0c16d5a5b2b
+b2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
+54f675801f2f654bf53fc61c36837198fddd7a85
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+0000000000000000000000000000000000000000
+ffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffff
+0000000000000000000000000000000000000000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt
new file mode 100644
index 00000000..802c5d14
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt
@@ -0,0 +1 @@
+1820d45800000000e0b405000000000000000000000000002c00000000000000040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt
new file mode 100644
index 00000000..1cd7e09d
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt
@@ -0,0 +1 @@
+4546492050415254000001005c000000a071310c000000000100000000000000af44f21b0000000022000000000000008e44f21b000000006fe7c34e23793e4cb040e8080f1b888302000000000000008000000080000000d0be05490500000000000000a4bb94ded106404da16abfd50179d6ac8787cc4223db454e9981701adc801dc70008000000000000ffa70f000000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000028732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000016e3c9e35c0bb84d817df92df00215aeffcf90d80c32454fb6cfa4d8bee6d9cb00c8120000000000ffc71a000000000000000000000000804d006900630072006f0073006f0066007400200072006500730065007200760065006400200070006100720074006900740069006f006e0000000000000000000000000000000000a2a0d0ebe5b9334487c068b6b72699c71c4c250c124b884ab88442a31866a34800c81a0000000000ff3ff81a0000000000000000000000004200610073006900630020006400610074006100200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000a4bb94ded106404da16abfd50179d6ac92e459bc0fb29549b1488ded030c7ec20040f81a00000000ff3ff21b0000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e000000a70afc7f00007051864ba8020000c091dc4ba8020000bf3a758076450000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt
new file mode 100644
index 00000000..841a1be6
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt
@@ -0,0 +1 @@
+53706563204944204576656e743033000000000000020002010000000b00200000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt
new file mode 100644
index 00000000..ef759b94
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt
@@ -0,0 +1 @@
+01000000000000004415fdf294972c4a992ee5bbcf20e3940000676300000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt
new file mode 100644
index 00000000..b76c680f
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt
@@ -0,0 +1 @@
+414350492044415441
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt
new file mode 100644
index 00000000..7802a6f4
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt
@@ -0,0 +1 @@
+040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt
new file mode 100644
index 00000000..ceab9816
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt
@@ -0,0 +1 @@
+0070206b0000000000000d0000000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt
new file mode 100644
index 00000000..f82c5911
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt
@@ -0,0 +1 @@
+28732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt
new file mode 100644
index 00000000..8b6b3d49
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c09000000000000000c0000000000000042006f006f0074004f007200640065007200040003000200000001000500
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt
new file mode 100644
index 00000000..b0b75029
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt
new file mode 100644
index 00000000..bf6b6d07
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c0a00000000000000010000000000000053006500630075007200650042006f006f00740000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json
new file mode 100644
index 00000000..d411dd50
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json
@@ -0,0 +1,233 @@
+{
+ "VendorTable": {
+ "_comment_1": "UUIDS listed in the UEFI Specification",
+ "eb9d2d30-2d88-11d3-9a16-0090273fc14d": "ACPI_TABLE_GUID",
+ "eb9d2d32-2d88-11d3-9a16-0090273fc14d": "SAL_SYSTEM_TABLE_GUID",
+ "eb9d2d31-2d88-11d3-9a16-0090273fc14d": "SMBIOS_TABLE_GUID",
+ "f2fd1544-9794-4a2c-992e-e5bbcf20e394": "SMBIOS3_TABLE_GUID",
+ "eb9d2d2f-2d88-11d3-9a16-0090273fc14d": "MPS_TABLE_GUID",
+ "8868e871-e4f1-11d3-bc22-0080c73c8881": "EFI_ACPI_TABLE_GUID",
+ "87367f87-1119-41ce-aaec-8be01101f558": "EFI_JSON_CONFIG_DATA_TABLE_GUID",
+ "35e7a725-8dd2-4cac-8011-33cda8109056": "EFI_JSON_CAPSULE_DATA_TABLE_GUID",
+ "dbc461c3-b3de-422a-b9b4-9886fd49a1e5": "EFI_JSON_CAPSULE_RESULT_TABLE_GUID",
+ "77ab535a-45fc-624b-5560-f7b281d1f96e": "EFI_VIRTUAL_DISK_GUID",
+ "3d5abd30-4175-87Ce-6d64-d2ADe523C4bb": "EFI_VIRTUAL_CD_GUID",
+ "5Cea02c9-4d07-69d3-269f-4496Fbe096f9": "EFI_PERSISTENT_VIRTUAL_DISK_GUID",
+ "08018188-42cd-bb48-100f-5387D53ded3d": "EFI_PERSISTENT_VIRTUAL_CD_GUID",
+ "_comment_2": "DXE GUIds from https://github.com/linuxboot/linuxboot/blob/master/boards/qemu/image-files.txt",
+ "fc510ee7-ffdc-11d4-bd41-0080c73c8881": "DXE Apriori-FVRECOVERY",
+ "1b45cc0a-156a-428a-62af-49864da0e6e6": "PEI Apriori file name",
+ "80cf7257-87ab-47f9-a3fe-d50b76d89541": "PcdDxe",
+ "b601f8c4-43b7-4784-95b1-f4226cb40cee": "RuntimeDxe",
+ "f80697e9-7fd6-4665-8646-88e33ef71dfc": "SecurityStubDxe",
+ "1a1e4886-9517-440e-9fde-3be44cee2136": "CpuDxe",
+ "11a6edf6-a9be-426d-a6cc-b22fe51d9224": "PciHotPlugInitDxe",
+ "128fb770-5e79-4176-9e51-9bb268a17dd1": "PciHostBridgeDxe",
+ "93b80004-9fb3-11d4-9a3a-0090273fc14d": "PCI Bus Driver - PciBusDxe",
+ "9b680fce-ad6b-4f3a-b60b-f59899003443": "DevicePathDxe",
+ "f9d88642-0737-49bc-81b5-6889cd57d9ea": "SmbiosDxe",
+ "4110465d-5ff3-4f4b-b580-24ed0d06747a": "SmbiosPlatformDxe",
+ "9622e42c-8e38-4a08-9e8f-54f784652f6b": "AcpiTableDxe",
+ "49970331-e3fa-4637-9abc-3b7868676970": "AcpiPlatform",
+ "7e374e25-8e01-4fee-87f2-390c23c606cd": "ACPI data",
+ "bdce85bb-fbaa-4f4e-9264-501a2c249581": "S3SaveStateDxe",
+ "d9dcc5df-4007-435e-9098-8970935504b2": "PlatformDxe",
+ "8657015b-ea43-440d-949a-af3be365c0fc": "IoMmuDxe",
+ "cbd2e4d5-7068-4ff5-b462-9822b4ad8d60": "VariableRuntimeDxe",
+ "_comment_3": "PIWG Dxe driver Files (FvFile)from https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1272444",
+ "70d57d67-7f05-494d-a014-b75d7345b700": "Storage Security Command Driver",
+ "3acc966d-8e33-45c6-b4fe-62724bcd15a9": "AHCI Bus Driver",
+ "67bbc344-84bc-4e5c-b4df-f5e4a00e1f3a": "Host Controller Driver",
+ "86edaae5-073c-4c89-b949-8984ac8a55f3": "MMC/SD Media Device Driver",
+ "9e863906-a40f-4875-977F-5b93ff237fc6": "Serial Terminal Driver",
+ "a6cc6bc8-2ada-46C3-bba4-e99672CC9530": "PCI Serial Driver",
+ "69fd8e47-a161-4550-b01a-5594ceb2b2b2": "PCI IDE/ATAPI Bus Driver",
+ "51ccf399-4fdf-4e55-a45b-e123f84d456a": "Platform Console Management Driver",
+ "6b38f7b4-ad98-40e9-9093-aca2b5a253c4": "Generic Disk I/O Driver",
+ "2d2e62cf-9ecf-43b7-8219-94e7fC713dfe": "Usb Keyboard Driver",
+ "9fb4b4a7-42C0-4bcd-8540-9bcc6711f83e": "Usb Mass Storage Driver",
+ "e3752948-b9a1-4770-90c4-df41c38986be": "QEMU Video Driver",
+ "240612B7-a063-11d4-9a3a-0090273fc14d": "Usb Bus Driver",
+ "bdfe430e-8F2a-4db0-9991-6f856594777e": "Usb Ehci Driver",
+ "2fb92efa-2ee0-4bae-9eB6-7464125E1EF7": "Usb Ehci Driver",
+ "a92cdb4b-82f1-4e0b-a516-8a655d371524": "Virtio Network Driver",
+ "4579b72d-7ec4-4dd4-8486-083c86b182a7": "iSCSI Driver",
+ "3b1deaB5-c75d-442e-9238-8e2ffb62b0bb": "UEFI PXE Base Code Driver",
+ "6b6963ab-906d-4a65-a7ca-bd40e5d6af2b": "UDP Network Service Driver",
+ "6d6963ab-906d-4a65-a7ca-bd40e5d6af4d": "Tcp Network Service Driver",
+ "dc3641b8-2fa8-4ed3-bc1f-f9962a03454b": "MTFTP4 Network Service Driver",
+ "9fb1a1f3-3b71-4324-b39a-745cbb015fff": "IP4 Network Service Driver",
+ "26841bde-920a-4e7a-9Fbe-637f477143a6": "IP4 CONFIG Network Service Driver",
+ "94734718-0bbc-47fb-96a5-ee7a5ae6a2ad": "DHCP Protocol Driver",
+ "529d3f93-e8e9-4e73-b1e1-bdf6a9d50113": "ARP Network Service Driver",
+ "e4f61863-fe2c-4b56-a8d4-08519bc439df": "VLAN Configuration Driver",
+ "a2f436ea-a127-4ef8-957c-8048606ff670": "Simple Network Protocol Driver",
+ "961578fe-b6b7-44c3-af35-6bc705cd2b1f": "FAT File System Driver",
+ "0abd8284-6da3-4616-971a-83a5148067ba": "ISA Floppy Driver",
+ "3dc82376-637b-40a6-a8fc-a565417f2c38": "PS/2 Keyboard Driver",
+ "93b80003-9fb3-11d4-9a3a-0090273fc14d": "ISA Serial Driver",
+ "240612b5-a063-11d4-9a3a-0090273fc14a": "ISA Bus Driver",
+ "99549f44-49bb-4820-b9d2-901329412d67": "IDE Controller Init Driver",
+ "0a66e322-3740-4cce-ad62-bd172cecca35": "Scsi Disk Driver",
+ "1fa1f39e-feff-4aae-bd7b-38a070a3b609": "Partition Driver",
+ "9e863906-a40f-4875-977f-5b93ff237fc6": "Serial Terminal Driver",
+ "cccb0c28-4b24-11d5-9a5a-0090273fc14d": "Graphics Console Driver",
+ "408edcec-cf6d-477c-a5a8-b4844e3de281": "Console Splitter Driver",
+ "fab5d4f4-83c0-4aaf-8480-442d11df6cea": "Virtio SCSI Host Driver",
+ "11d92dfb-3Ca9-4f93-ba2e-4780ed3e03b5": "Virtio Block Driver",
+ "33cb97af-6c33-4c42-986b-07581fa366d4": "Block MMIO to Block IO Driver",
+ "_comment_4": "PIWG Volumes (Fv)",
+ "a881d567-6cb0-4eee-8435-2e72d33e45B5": "PIWG Default Volume",
+ "_comment_5": "UEFI UUIDS for Certificates",
+ "3c5766e8-269c-4e34-aa14-ed776e85b3b6": "EFI_CERT_RSA2048_GUID",
+ "e2b36190-879b-4a3d-ad8d-f2e7bba32784": "EFI_CERT_RSA2048_SHA256_GUID",
+ "c1c41626-504c-4092-aca9-41f936934328": "EFI_CERT_SHA256_GUID",
+ "826ca512-cf10-4ac9-b187-be01496631bd": "EFI_CERT_SHA1_GUID",
+ "67f8444f-8743-48f1-a328-1eaab8736080": "EFI_CERT_RSA2048_SHA1_GUID",
+ "a5c059a1-94e4-4aa7-87b5-ab155c2bf072": "EFI_CERT_X509_GUID",
+ "0b6e5233-a65c-44c9-9407-d9ab83bfc8bd": "EFI_CERT_SHA224_GUID",
+ "ff3e5307-9fd0-48c9-85f1-8ad56c701e01": "EFI_CERT_SHA384_GUID",
+ "093e0fae-a6c4-4f50-9f1b-d41e2b89c19a": "EFI_CERT_SHA512_GUID",
+ "3bd2a492-96c0-4079-b420-fcf98ef103ed": "EFI_CERT_X509_SHA256_GUID",
+ "7076876e-80c2-4ee6-aad2-28b349a6865b": "EFI_CERT_X509_SHA384_GUID",
+ "446dbf63-2502-4cda-bcfa-2465d2b0fe9d": "EFI_CERT_X509_SHA512_GUID",
+ "a7717414-c616-4977-9420-844712a735bf": "EFI_CERT_TYPE_RSA2048_SHA256_GUID",
+ "_comment_6": "UEFI defined variables",
+ "452e8ced-dfff-4b8c-ae01-5118862e682c": "EFI_CERT_EXTERNAL_MANAGEMENT_GUID",
+ "d719b2cb-3d3a-4596-a3bc-dad00e67656f": "EFI_IMAGE_SECURITY_DATABASE_GUID",
+ "4aafd29d-68df-49ee-8aa9-347d375665a7": "EFI_CERT_TYPE_PKCS7_GUID",
+ "c12a7328-f81f-11d2-ba4b-00a0c93ec93b": "EFI System Partition",
+ "024DEE41-33E7-11D3-9D69-0008C781F39F": "Partition containing a legacy MBR",
+ "_comment_7": "RHBoot UEFI Application UUIDs From listed in RHBoot (RHShim) https://github.com/rhboot/efivar/blob/master/src/guids.txt",
+ "0abba7dc-e516-4167-bbf5-4d9d1c739416": "fwupdate:",
+ "3b8c8162-188c-46a4-aec9-be43f1d65697": "ux_capsule",
+ "605dab50-e046-4300-abb6-3dd810dd8b23": "RH_Shim",
+ "8be4df61-93ca-11d2-aa0d-00e098032b8c": "EFI_Global_Variable",
+ "91376aff-cba6-42be-949d-06fde81128e8": "GRUB",
+ "_comment_8": "Partition Table GUIDs",
+ "0fc63daf-8483-4772-8e79-3d69d8477de4": "Linux filesystem data",
+ "e6d6d379-f507-44c2-a23c-238f2a3df928": "Logical Volume Manager (LVM) partition",
+ "4f68bce3-e8cd-4db1-96e7-fbcaf984b709": "Root partition (x86-64)",
+ "a19d880f-05fc-4d3b-a006-743f0f84911e": "RAID partition",
+ "933ac7e1-2eb4-4f13-b844-0e14e2aef915": "/home partition[ (x86-64)",
+ "ebd0a0a2-b9e5-4433-87c0-68b6b72699c7": "GPT Basic data partition",
+ "_comment_9": "RHBoot Lenovo specific UUIDS",
+ "3cc24e96-22c7-41d8-8863-8e39dcdcc2cf": "lenovo",
+ "82988420-7467-4490-9059-feb448dd1963": "lenovo_me_config",
+ "f7e615b-0d45-4f80-88dc-26b234958560": "lenovo_diag",
+ "665d3f60-ad3e-4cad-8e26-db46eee9f1b5": "lenovo_rescue",
+ "721c8b66-426c-4e86-8e99-3457c46ab0b9": "lenovo_setup",
+ "f46ee6f4-4785-43a3-923d-7f786c3c8479": "lenovo_startup_interrupt",
+ "126a762d-5758-4fca-8531-201a7f57f850": "lenovo_boot_menu",
+ "a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380": "lenovo_diag_splash",
+ "_comment_10": "Company UUIDs (From Internet searches)",
+ "77fa9abd-0359-4d32-bd60-28f4e78f784b": "Microsoft Inc.",
+ "f5a96b31-dba0-4faa-a42a-7a0c9832768e": "HPE Inc.",
+ "2879c886-57ee-45cc-b126-f92f24f906b9": "SUSE Certificate",
+ "70564dce-9afc-4ee3-85fc-949649d7e45c": "Dell Inc.",
+ "_comment_11": "Intel GUIDS",
+ "bfcc0833-2125-42d1-8c6d-13821e23c078": "Intel(R) Desktop Boards",
+ "80b3ad5b-9880-4af9-a645-e56a68be89de": "Intel(R) CISD FW Update",
+ "_comment_12": "Microsoft GUIDS",
+ "e3c9e316-0b5c-4db8-817d-f92df00215ae": "Microsoft Reserved Partition (MSR)",
+ "5808c8aa-7e8f-42e0-85d2-e1e90434cfb3": "Logical Disk Manager (LDM) metadata partition ",
+ "af9b60a0-1431-4f62-bc68-3311714a69ad": "Logical Disk Manager data partition",
+ "de94bba4-06d1-4d40-a16a-bfd50179d6ac": "Windows Recovery Environment",
+ "9f25ee7a-e7b7-11db-94b5-f7e662935912": "Windows Boot Loader",
+ "_comment_13": "Linux specific GUIDS",
+ "0fc63daf-8483-4772-8e79-3d69d8477de": "Linux filesystem data",
+ "44479540-f297-41b2-9af7-d131d5f0458a4": "Root partition (x86)",
+ "69dad710-2ce4-4e3c-b16c-21a1d49abed3": "Root partition (32-bit ARM)",
+ "b921b045-1df0-41c3-af44-4c6f280d3fae": "Root partition (64-bit ARM/AArch64)",
+ "0657fd6d-a4ab-43c4-84e5-0933c84b4f4f": "Swap partition",
+ "3b8f8425-20e0-4f3b-907f-1a25a76f98e8": "/srv (server data) partition",
+ "7ffec5c9-2d00-49b7-8941-3ea10a5586b7": "Plain dm-crypt partitiont",
+ "ca7d7ccb-63ed-4c53-861c-1742536059cc": "LUKS partition",
+ "_comment_14": "Linux Boot GUIDS https://github.com/linuxboot/linuxboot/blob/master/boards/s2600wf/vendor-files.txt",
+ "9cfd802c-09a1-43d6-8217-aa49c1f90d2c": "Intel Management Engine BIOS Extension (Mebx)",
+ "b62efbbb-3923-4cb9-a6e8-db818e828a80": "Intel Management Engine BIOS Extension (Mebx) Setup Browser",
+ "9ce4325e-003e-11e3-b582-b8ac6f199a57": "Non-Volatile Dual In-line Memory Module (NVDIMM) Driver",
+ "ea9de6d5-7839-46f7-9e63-4de8b00e2e5d": "NVM DIMM Human Interface Infrastructure (HII)",
+ "56a1b86f-0d4a-485d-87de-ad0eba1c8c2a": "IBM C Video Gop",
+ "a1f436ea-a127-4ef8-957c-8048606ff670": "SnpDxe",
+ "a210f973-229d-4f4d-aa37-9895e6c9eaba": "DpcDxe",
+ "025bbfc7-e6a9-4b8b-82ad-6815a1aeaf4a": "MNP Network Service Driver - MnpDxe",
+ "b44b2005-42bc-41c9-80af-abd7dc7d6923": "RSTesSATAEFI",
+ "15e1e31a-9f9d-4c84-82fb-1a707fc0f63b": "RSTeSATAEFI",
+ "2cc25173-bd9f-4c89-89cc-29256a3fd9c3": "RSTesSATALegacy",
+ "bd5d4ca5-674f-4584-8cf9-ce4ea1f54dd1": "RSTeSATALegacy",
+ "_comment_15": "WinNt GUIDs, add if they are still found in use https://sourceforge.net/p/uefinotes/wiki/FV%20Sources/?version=3",
+ "fc5c7020-1a48-4198-9be2-ead5abc8cf2f": "BdsDxe",
+ "d0893f05-b06d-4161-b947-9be9b85ac3a1": "SnpNt32Dxe",
+ "9b3ada4f-ae56-4c24-8Dea-f03b7558ae50": "PcdPeim",
+ "34c8c28F-b61c-45a2-8f2e-89e46becc63b": "PeiVariable",
+ "fe5cea76-4f72-49e8-986f-2cd899dffe5d": "FaultTolerantWriteDxe",
+ "_comment_16": "Linux Boot Image files UEFI Platform Initialization (PI) specifications Driver Execution Environment (DXE) Architectural protocols and platform modules https://github.com/linuxboot/linuxboot/blob/master/boards/winterfell/image-files.txt",
+ "5ae3f37e-4eae-41ae-8240-35465b5e81eb": "CORE_DXE",
+ "cbc59c4a-383a-41eb-a8ee-4498aea567e4": "DXE Runtime",
+ "3c1de39f-d207-408a-aacc-731cfb7f1dd7": "DXE PciBus",
+ "80e66e0a-ccd1-43fa-a7b1-2d5ee0f13910": "DXE PciRootBridge",
+ "9f3a0016-ae55-4288-829d-d22fd344c347": "DXE AmiBoardInfo",
+ "13ac6dd0-73d0-11d4-b06b-00aa00bd6de7": "DXE EBC",
+ "e03abadf-e536-4e88-b3a0-b77f78eb34fe": "CPU DXE",
+ "b7d19491-e55a-470d-8508-85a5dfa41974": "SBDXE",
+ "e23f86e1-056e-4888-b685-cfcd67c179d4": "DXE SBRun",
+ "e4ecd0b2-e277-4f2b-becb-e4d75c9a812e": "NBDXE",
+ "5ad34ba6-f024-2149-52e4-da0398e2bb9": "DXE Services Table",
+ "_comment_17": "ACPI configuration and tables",
+ "750890a6-7acf-4f4f-81bd-b400c2bea95a": "AcpiModeEnable",
+ "d4c05cd1-5eae-431d-a095-13a9e5822045": "MPST",
+ "db93cb2c-bf1c-431a-abc8-8737bc2afc1f": "PRAD-ACPI-table",
+ "3bc5b795-a4e0-4d56-9321-316d18a7aefe": "PRAD",
+ "16d0a23e-c09c-407d-a14a-ad058fdd0ca1": "ACPI",
+ "26a2481e-4424-46a2-9943-cc4039ead8f8": "S3Save",
+ "efd652cc-0e99-40f0-96c0-e08c089070fc": "S3Restore",
+ "8c783970-f02a-4a4d-af09-8797a51eec8d": "PowerManagement",
+ "299141bb-211a-48a5-92c0-6f9a0a3a006e0": "PowerManagement-ACPI-table",
+ "2df10014-cf21-4280-8c3f-e539b8ee5150": "PpmPolicyInitDxe",
+ "4b680e2d-0d63-4f62-b930-7ae995b9b3a3": "SmBusDxe",
+ "_comment_18": "SMM handlers",
+ "4a37320b-3fb3-4365-9730-9e89c600395d": "SmmDispatcher",
+ "753630c9-fae5-47a9-bbbf-88d621cd7282": "SmmChildDispatcher",
+ "be216ba8-38c4-4535-a6ca-5dca5b43addf": "SmiVariable",
+ "a56897a1-a77f-4600-84db-22b0a801fa9a": "SmmRuntime",
+ "d2596f82-f0e1-49fa-95bc-62012c795728": "SmmBase Data",
+ "69009842-63f2-43db-964b-efad1c39ec85": "SmmBase Data",
+ "d0632c90-afd7-4492-b186-257c63143c61": "SmmBase",
+ "7e2d983f-f703-4a29-9761-77b51f5354ed": "SmmCommunicate",
+ "_comment_19": "CMOS and NVRAM handlers",
+ "6869c5b3-ac8d-4973-8b37-e354dbf34add": "CmosManagerSmm",
+ "842a454a-75e5-408b-8b1c-36420e4e3f21": "NvramSmi",
+ "5446c293-339b-47cd-b719-585de39408cc": "PostReport",
+ "71ca9ca1-325d-4bfe-afa3-2ec5c94a8680": "DmAcpi",
+ "cef68c66-06ab-4fb3-a3ed-5ffa885b5725": "SMBiosBoard",
+ "b13edd38-684c-41ed-a305-d7b7e32497df": "SMBios64",
+ "ded7956d-7e20-4f20-91a1-190439b04d5b": "SmbiosGetFlashData64",
+ "daf4bf89-ce71-4917-b522-c89d32fbc59f": "SmbiosStaticData",
+ "_comment_20": "Apple GUIDS",
+ "48465300-0000-11aa-aa11-00306543ecac": "Apple Hierarchical File System Plus (HFS+) partition ",
+ "7c3457ef-0000-11aa-aa11-00306543ecac": "Apple APFS container",
+ "55465300-0000-11aa-aa11-00306543ecac": "Apple UFS container",
+ "52414944-0000-11aa-aa11-00306543ecac": "Apple RAID partition",
+ "4c616265-6c00-11aa-aa11-00306543ecac": "Apple Label",
+ "53746f72-6167-11aa-aa11-00306543ecac": "Apple Core Storage Container",
+ "6a898cc3-1dd2-11b2-99a6-080020736631": "ZFS Partition",
+ "_comment_21": "Chrome OS GUIDS",
+ "2568845d-2332-4675-bc39-8fa5a4748d15": "Chrome OS kernel ",
+ "3cb8e202-3b7e-47dd-8a3c-7ff2a13cfcec": "Chrome OS rootfs ",
+ "2e0a753d-9e48-43b0-8337-b15192cb1b5e": "Chrome OS future use ",
+ "_comment_22": "Android GUIDS",
+ "fe3a2a5d-4f32-41a7-b725-accc3285a309": "Android Bootloader",
+ "114eaffe-1552-4022-b26e-9b053604cf84": "Android Bootloader 2",
+ "49a4d17f-93a3-45c1-a0de-f50b2ebe2599": "Android Boot",
+ "4177c722-9e92-4aab-8644-43502bfd5506": "Android Recovery",
+ "38f428e6-d326-425d-9140-6e0ea133647c": "Android System",
+ "bd59408b-4514-490d-bf12-9878d963f378": "Android Config",
+ "8f68cc74-c5e5-48da-be91-a0c8c15e9c80": "Android Factory",
+ "ac6d7924-eb71-4df8-b48d-e267b27148ff": "Android OEM",
+ "_comment_23": "MISC GUIDs",
+ "5023b95c-db26-429b-a648-bd47664c8012": "Built-in EFI Shell",
+ "610a0202-d308-00c4-0000-000004300d06": "Mystery UUID",
+ "00000000-0000-0000-0000-000000000000": "Empty UUID"
+ }
+}
From 383fefdfefd507e9973756aeace3a839ae98db15 Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Tue, 18 Jul 2023 13:09:11 -0400
Subject: [PATCH 10/12] changed bootRun parameter to --spring.config.location
---
HIRS_AttestationCAPortal/build.gradle | 10 +--
.../src/main/resources/application.properties | 14 +---
package/scripts/aca/aca_bootRun.sh | 21 +----
package/scripts/aca/aca_setup.sh | 25 +++---
package/scripts/pki/ca.conf | 11 ++-
package/scripts/pki/pki_chain_gen.sh | 81 ++++++++++++-------
package/scripts/pki/pki_setup.sh | 53 ++++++------
7 files changed, 110 insertions(+), 105 deletions(-)
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 45259c42..dcadd19d 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -51,11 +51,11 @@ dependencies {
implementation 'org.junit.jupiter:junit-jupiter:5.4.2'
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
- implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
- implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
- implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
- implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
- implementation 'jakarta.el:jakarta.el-api:5.0.0'
+// implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
+// implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
+// implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
+// implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
+// implementation 'jakarta.el:jakarta.el-api:5.0.0'
compileOnly 'org.projectlombok:lombok'
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 288f48c4..8b856317 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -17,7 +17,7 @@ spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
# Tomcat Config
-server.tomcat.additional-tld-skip-patterns=*jakarta*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
+server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
@@ -30,16 +30,6 @@ server.tomcat.accesslog.prefix=access_log
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
-# Tomcat TLS support
-server.port=8443
-server.ssl.enabled=true
-server.ssl.trust-store-type=JKS
-server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
-server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
-server.ssl.key-store-type=JKS
-server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
-server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
-
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@@ -48,5 +38,5 @@ server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
-# Passwords get appended here ...
+# DB dfault password.
spring.datasource.password=hirs_db
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
index 2118ba92..a77d10af 100644
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -6,25 +6,8 @@
#
####################################################################################
-PASS_FILE="/etc/hirs/aca/application.properties"
-
-declare -A props
-
-if [ -f $PASS_FILE ]; then
- while IFS="=" read -r key value; do
- #echo "key is $key, value is $value"
- if [ ! -z "$key" ]; then
- props["$key"]="$value"
- fi
- done < "$PASS_FILE"
-else
- echo "error reading $PASS_FILE"
- exit 1
-fi
-
-#echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
-#echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
+CONFIG_FILE="/etc/hirs/aca/application.properties"
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
-./gradlew bootRun --args="--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]} --server.ssl.key-store-password=${props["server.ssl.key-store-password"]}"
+./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
\ No newline at end of file
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index d89cd894..e714fba4 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -2,36 +2,43 @@
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
+CONF_DIR=/etc/hirs/aca
+LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
+LOG_DIR="/opt/embeddedtomcat/logs/"
+LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+echo "LOG_FILE is $LOG_FILE"
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
exit 1
fi
-mkdir -p /etc/hirs/aca/
+echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
+
+mkdir -p $CONF_DIR $LOG_DIR
pushd $SCRIPT_DIR
# If setup for development start with basic spring config
if [ -f $PROP_FILE ]; then
- cp $PROP_FILE /etc/hirs/aca/.
+ cp $PROP_FILE $CONF_DIR/.
fi
-sh ../db/db_create.sh
+sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA database setup complete"
+ echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA DB"
+ echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
-sh ../pki/pki_setup.sh
+sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA PKI setup complete"
+ echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA PKI"
+ echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
- echo "ACA setup complete"
+ echo "ACA setup complete" | tee -a "$LOG_FILE"
popd
\ No newline at end of file
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index eed05dab..cc1b92bc 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -23,6 +23,11 @@ organizationalUnitName = optional
commonName = optional
emailAddress = optional
+[ alternate_names ]
+DNS.1 = localhost
+DNS.2 = localhost.localdomain
+DNS.3 = 127.0.0.1
+
[ ca_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
@@ -38,8 +43,9 @@ keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-authorityInfoAccess = caIssuers;URI:https://example.com/certs
+authorityInfoAccess = caIssuers;URI:https://example.com/certs
crlDistributionPoints = URI:https://example.com/crl
+subjectAltName = @alternate_names
[ signer_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
@@ -47,5 +53,4 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
-crlDistributionPoints = URI:https://example.com/crl
-
+crlDistributionPoints = URI:https://example.com/crl
\ No newline at end of file
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index f4dae1ed..0b3b114b 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -20,6 +20,7 @@ ASYM_ALG=$2
ASYM_SIZE=$3
HASH_ALG=$4
PASS=$5
+LOG_FILE=$6
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
@@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
# Parameter check
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
- echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
+ echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
- echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
- exit 1
+ echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
+ exit 1;
+fi
+
+if [ -z ${LOG_FILE} ]; then
+ LOG_FILE="/dev/null"
fi
case $ASYM_SIZE in
@@ -52,7 +57,7 @@ case $ASYM_SIZE in
3072) KSIZE=3k;;
4096) KSIZE=4k;;
*)
- echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
+ echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;;
esac
@@ -72,25 +77,41 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
- echo "Folder for $CERT_FOLDER exists, exiting..."
+ echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
exit 1;
fi
# Intialize sub folders
-echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" &> /dev/null
touch ca/db
+touch openssl-san.cnf
if [ ! -f "ca/serial.txt" ]; then
- echo "01" > ca/serial.txt
+ echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
fi
+# Function to add Cert to Truststore and key to Keystore
+add_to_stores () {
+ CERT_PATH=$1
+ ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
+ echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
+ # Add the cert and key to the key store. make a p12 file to import into te keystore
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
+ # Use the p12 file to import into a java keystore via keytool
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
+ # Import the cert into a java trust store via keytool
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+ # Remove the temp p1 file.
+ rm tmpkey.p12
+}
+
# Function to create an Intermediate Key, CSR, and Certificate
# PARMS:
# 1. Cert Type String
@@ -106,16 +127,16 @@ create_cert () {
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
- echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."
+ echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
- openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
- openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
+ openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
openssl ca -config ca.conf \
@@ -127,17 +148,18 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
- -notext &> /dev/null
+ -notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
- awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
+ SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
+ echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
- openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
- keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
- keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@@ -168,30 +190,35 @@ create_cert_chain () {
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
- openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
+ openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
}
-if [ "$ASYM_ALG" == "rsa" ]; then
+if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
- openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
-
+ echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
+ openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
- create_cert_chain
+ create_cert_chain
fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
- openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
+ echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS"
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
-fi
-
+fi
\ No newline at end of file
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index cf2c2a52..a6492ae2 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -7,14 +7,15 @@
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
+LOG_FILE=$1
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-echo "SCRIPT_DIR is $SCRIPT_DIR"
+echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
- then echo "The first time this script is run, this script requires root. Please run as root"
+ then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
@@ -22,24 +23,12 @@ fi
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+ echo "Using randomly generated password" | tee -a "$LOG_FILE"
+ else
+ PKI_PASS=$HIRS_PKI_PWD
+ echo "Using system supplied password" | tee -a "$LOG_FILE"
fi
-# Create an ACA properties file using the new password
-#pushd $SCRIPT_DIR &> /dev/null
-# if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
-# if [ -d /opt/hirs/scripts/aca ]; then
-# ACA_SETUP_DIR="/opt/hirs/scripts/aca"
-# else
-# ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
-# fi
-# echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
-# sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
-# else
-# echo "aca property file exists, skipping"
-# fi
-
-popd &> /dev/null
-
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
@@ -48,24 +37,28 @@ if [ ! -d "/etc/hirs/certificates" ]; then
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
- echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
+ echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
+
+ mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
- mkdir -p /etc/hirs/certificates/
-
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
- # Add/Replace password to properties file
- if [ -f $PROP_FILE ]; then
- sed -i '/server.ssl.key-store-password/d' $PROP_FILE
- sed -i '/server.ssl.trust-store-password/d' $PROP_FILE
- fi
+ # Add tomcat TLS support to the application.properties file
+ echo "# Tomcat TLS support">> $PROP_FILE
+ echo "server.port=8443">> $PROP_FILE
+ echo "server.ssl.enabled=true">> $PROP_FILE
+ echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
+ echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+ echo "server.ssl.key-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
+ echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
-
else
- echo "/etc/hirs/certificates exists, skipping"
+ echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi
From 172236a75b1db5f195b47437a7773d98eb76ab2f Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Thu, 20 Jul 2023 11:52:45 -0400
Subject: [PATCH 11/12] moved logs to /var/log/hirs
---
.../src/main/resources/application.properties | 4 ++--
.../src/main/resources/log4j2-spring.xml | 2 +-
package/scripts/aca/aca_setup.sh | 24 ++++++++++++-------
3 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 8b856317..8cdec2dc 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -24,9 +24,9 @@ server.servlet.context-path=/HIRS_AttestationCAPortal
spring.mvc.servlet.path=/portal
server.tomcat.accesslog.enabled=true
-server.tomcat.accesslog.directory=logs
+server.tomcat.accesslog.directory=/var/log/hirs
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
-server.tomcat.accesslog.prefix=access_log
+server.tomcat.accesslog.prefix=Tomcat_accesslog_
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
diff --git a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
index 5c4aadef..bbc5413c 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
+++ b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
@@ -4,7 +4,7 @@
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/>
</Console>
- <RollingFile name="FILE" fileName="./logs/HIRS_AttestationCA_Portal.log"
+ <RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log"
filePattern="./logs/HIRS_AttestationCA_Portal.log-%d{yyyy-MM-dd}-%i.log" >
<PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index e714fba4..93edfa3d 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -1,10 +1,13 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
-PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
-CONF_DIR=/etc/hirs/aca
+SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
+HIRS_CONF_DIR=/etc/hirs/aca
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
-LOG_DIR="/opt/embeddedtomcat/logs/"
+LOG_DIR="/var/log/hirs/"
+HIRS_PROP_DIR="/opt/hirs/default-properties"
+COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
+VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "LOG_FILE is $LOG_FILE"
@@ -13,15 +16,18 @@ if [ "$EUID" -ne 0 ]
exit 1
fi
+mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
+
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
-mkdir -p $CONF_DIR $LOG_DIR
+pushd $SCRIPT_DIR &>/dev/null
-pushd $SCRIPT_DIR
-# If setup for development start with basic spring config
-if [ -f $PROP_FILE ]; then
- cp $PROP_FILE $CONF_DIR/.
+# Copy HIRS configuration and data files if not a package install
+if [ -f $SPRING_PROP_FILE ]; then
+ cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
+ cp -n $COMP_JSON $HIRS_PROP_DIR/.
+ cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
fi
sh ../db/db_create.sh $LOG_FILE
@@ -41,4 +47,4 @@ fi
echo "ACA setup complete" | tee -a "$LOG_FILE"
-popd
\ No newline at end of file
+popd &>/dev/null
\ No newline at end of file
From 3a72f8ad4d445ea0b5572a220d07d9ff6b0f0960 Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Thu, 20 Jul 2023 12:50:01 -0400
Subject: [PATCH 12/12] removed un-needed files
---
HIRS_AttestationCAPortal/build.gradle | 7 --
HIRS_Utils/build.gradle | 1 -
package/scripts/aca/aca_property_setup.sh | 27 --------
package/scripts/pki/.prop.file | 9 ---
package/scripts/pki/pki_update_tls_cert.sh | 81 ----------------------
5 files changed, 125 deletions(-)
delete mode 100644 package/scripts/aca/aca_property_setup.sh
delete mode 100644 package/scripts/pki/.prop.file
delete mode 100644 package/scripts/pki/pki_update_tls_cert.sh
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index dcadd19d..49746e8c 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -51,13 +51,6 @@ dependencies {
implementation 'org.junit.jupiter:junit-jupiter:5.4.2'
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
-// implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
-// implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
-// implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
-// implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
-// implementation 'jakarta.el:jakarta.el-api:5.0.0'
-
-
compileOnly 'org.projectlombok:lombok'
runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
annotationProcessor 'org.projectlombok:lombok'
diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle
index eb44b057..ea0abd57 100644
--- a/HIRS_Utils/build.gradle
+++ b/HIRS_Utils/build.gradle
@@ -36,7 +36,6 @@ dependencies {
implementation libs.commons.codec
implementation libs.commons.lang3
implementation libs.minimal.json
- implementation libs.jakarta.api
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
diff --git a/package/scripts/aca/aca_property_setup.sh b/package/scripts/aca/aca_property_setup.sh
deleted file mode 100644
index fd05779a..00000000
--- a/package/scripts/aca/aca_property_setup.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-# Create aca.poperties file
-
-pki_password=$1
-
-rm -f /etc/hirs/aca.properties
-aca_prop_file="/etc/hirs/aca.properties"
-
-echo '# *** ACA Directories ***
-aca.directories.root = /etc/hirs/
-aca.directories.certificates = ${aca.directories.root}/certificates' > $aca_prop_file
-
-echo '# *** Certificate and Key Properties ***
-aca.setup.keys.rsa.keySize = 3072
-aca.setup.keys.ecc.keySize = 512
-aca.setup.certificates.validity = 3652
-aca.setup.certificates.subjectName = HIRS_AttestationCA
-aca.setup.certificates.expiration = ${aca.setup.certificates.validity}' >> $aca_prop_file
-
-echo '# *** Keystore properties ***
-aca.keyStore.alias = HIRS_ACA_KEY
-aca.keyStore.rsa.alias = hirs_leaf_ca1_rsa_3072_sha384
-aca.keyStore.ecc.alias = hirs_leaf_ca1_ecc_512_sha384
-aca.keyStore.location = ${aca.directories.certificates}/keyStore.jks
-aca.keyStore.password = '$pki_password >> $aca_prop_file
-
diff --git a/package/scripts/pki/.prop.file b/package/scripts/pki/.prop.file
deleted file mode 100644
index 1c47967e..00000000
--- a/package/scripts/pki/.prop.file
+++ /dev/null
@@ -1,9 +0,0 @@
-# *** ACA Directories ***
-aca.directories.root = /etc/hirs/
-aca.directories.certificates = ${aca.directories.root}/certificates
-# *** Certificate and Key Properties ***
-aca.setup.keys.rsa.keySize = 3072
-aca.setup.keys.ecc.keySize = 512
-aca.setup.certificates.validity = 3652
-aca.setup.certificates.subjectName = HIRS_AttestationCA
-aca.setup.certificates.expiration = ${aca.setup.certificates.validity}
diff --git a/package/scripts/pki/pki_update_tls_cert.sh b/package/scripts/pki/pki_update_tls_cert.sh
deleted file mode 100644
index cd124bff..00000000
--- a/package/scripts/pki/pki_update_tls_cert.sh
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/bin/bash
-
-CN=$1
-PASS=$2
-ACTOR="HIRS"
-ACTOR_ALT=${ACTOR// /_}
-ASYM_ALG="rsa"
-ASYM_SIZE=3072
-KSIZE="3k"
-HASH_ALG="sha384"
-CERT_FOLDER="/etc/hirs/certificates/HIRS/$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_certs
-#CERT_FOLDER="."
-EXTENSION="server_extensions"
-TRUSTSTORE="/etc/hirs/certificates/HIRS/TrustStore.jks"
-
-echo "CERT_FOLDER is $CERT_FOLDER"
-
-
-if [ -z "${CN}" ] || [ -z "${PASS}" ] || [ "${CN}" == "-h" ] || [ "${CN}" == "--help" ]; then
- echo "parameter missing to pki_tls_update.sh, exiting"
- exit 1;
-fi
-
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=$CN"
-
-TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
-PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
-
-echo "TLS_SERVER is $TLS_SERVER"
-create_cert () {
- CERT_PATH="$1"
- ISSUER="$2"
- SUBJ_DN="$3"
- ISSUER_KEY="$ISSUER".key
- ISSUER_CERT="$ISSUER".pem
- ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
-
- pushd /etc/hirs/certificates/HIRS
-
-# if [ "$CERT_TYPE" == "rim_signer" ]; then
-# EXTENSION="signer_extensions"
-# else
-# EXTENSION="ca_extensions"
-# fi
-
- echo "Updating cert for "$CERT_PATH".pem using $ISSUER_KEY with a DN="$SUBJ_DN" using $EXTENSION."
-
- if [ "$ASYM_ALG" == "rsa" ]; then
- openssl req -newkey rsa:"$ASYM_SIZE" \
- -keyout "$CERT_PATH".key \
- -out "$CERT_PATH".csr -subj "$SUBJ_DN" \
- -passout pass:"$PASS"
-#&> /dev/null
- else
- openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
- openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
- fi
- openssl ca -config ca.conf \
- -keyfile "$ISSUER_KEY" \
- -md $HASH_ALG \
- -cert "$ISSUER_CERT" \
- -extensions "$EXTENSION" \
- -out "$CERT_PATH".pem \
- -in "$CERT_PATH".csr \
- -passin pass:"$PASS" \
- -batch \
- -notext
- popd
-
-#&> /dev/null
- # Increment the cert serial number
- awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
- # remove csr file
- rm -f "$CERT_PATH".csr
- # remove all cert from TrustStore.jks
- keytool -delete -noprompt -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
- # insert new cert into TrustStore.jks with same alias
- keytool -import -file ""$CERT_PATH".pem" -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
-}
-
-create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"